- Java-based RMM tooling developed as a legitimate remote support platform.
- Frequently bundled with bossware deployments for deep system access; also observed in Medusa ransomware and Arctic Wolf incident-response tooling contexts.
- Flagged in February 2026 Huntress / The Register reporting as a prominent tool exploited for Living off the Land (LotL) persistence due to its signed binaries and encrypted communication channels.
JWrapper-Remote Access— primary remote access wrapper binary (Java-based)aaa.exe,bbb.exe— attacker-observed renamed copies (Medusa / Arctic Wolf intrusions)
- Legitimate service name:
SimpleHelp RAS
- Legitimate operator domains:
*.simple-help.com - Attacker-observed C2 domains:
telesupportgroup[.]com,microuptime[.]com
- Install path:
%APPDATA%\JWrapper-Remote Access\ - Configuration file:
JWAppsSharedConfig\serviceconfig.xml- Contains
<ConnectTo>element specifying the operator server address — pivotal artifact for identifying attacker-controlled infrastructure.
- Contains
- Signed by: SimpleHelp Ltd (legitimate Java-wrapped binary)
- Installer typically distributed as a self-extracting Java wrapper
- Renamed to generic filenames (
aaa.exe,bbb.exe) to evade process-name-based detection. serviceconfig.xmlmodified post-deployment to redirect connections to attacker infrastructure.- Used as a secondary persistence mechanism alongside other RMM tools.
- Parse
serviceconfig.xmlfor unexpected<ConnectTo>domains during incident response. - Alert on
JWrapper-Remote Accessprocesses connecting to non-simple-help.comendpoints. - Hunt for JWrapper process trees spawning unusual child processes (cmd.exe, powershell.exe).
- Correlate outbound connections to
telesupportgroup[.]comormicrouptime[.]com.