Skip to content

S0508 ngrok

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.1423

Item Value
ID S0508
Associated Names
Type TOOL
Version 1.4
Created 14 September 2023
Last Modified 16 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.1
enterprise T1567 Exfiltration Over Web Service ngrok has been used by threat actors to configure servers for data exfiltration.5
enterprise T1572 Protocol Tunneling ngrok can tunnel RDP and other services securely over internet connections.4256
enterprise T1090 Proxy ngrok can be used to proxy connections to machines located behind NAT or firewalls.51
enterprise T1102 Web Service ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.1

Groups That Use This Software

ID Name References
G0049 OilRig 8
G1003 Ember Bear Ember Bear used ngrok during intrusions against Ukrainian victims.9
G1015 Scattered Spider Scattered Spider has used ngrok to create secure tunnels to remote web servers.121011
G0140 LazyScripter 3
G0117 Fox Kitten 13

References

  1. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020. 

  2. Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020. 

  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  4. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. 

  5. Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020. 

  6. Borja, A. Camba, A. et al (2020, September 14). Analysis of a Convoluted Attack Chain Involving Ngrok. Retrieved September 15, 2020. 

  7. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025. 

  8. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024. 

  9. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. 

  10. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025. 

  11. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025. 

  12. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. 

  13. Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.