reGeorg
Malware⚠️ Overview
reGeorg is an open-source web shell-based proxy tunneling tool first publicly released on GitHub in 2015 by the pseudonymous developer "sensepost". It falls under the category of malicious proxy tools, frequently used by advanced persistent threat (APT) groups to establish encrypted SOCKS tunnels through compromised web servers, enabling lateral movement and data exfiltration.
🔧 Technical Capabilities
reGeorg operates by deploying a server-side script (typically in ASP, ASPX, PHP, or JSP) onto a compromised web server, after which a Python-based client connects to create a SOCKS5 proxy over HTTP/HTTPS (MITRE ATT&CK ID T1090 – Proxy). This bidirectional tunnel allows attackers to relay arbitrary TCP traffic (e.g., RDP, SSH, SMB) through the victim's web server, bypassing network segmentation and firewalls. Communication is encapsulated in HTTP POST and GET requests, mimicking normal web traffic to evade detection. Persistence depends on the web shell remaining on the server, often achieved through obfuscated script variants (e.g., base64 encoding) and legitimate-looking User-Agent strings such as "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". The tool does not use registry keys or mutexes; it relies entirely on file-based deployment on web directories.
📜 History & Notable Incidents
reGeorg first appeared in public threat reports around 2015 and was notably used in Operation Cloud Hopper (2016–2017) by the APT10 group (Stone Panda) to target IT managed service providers (MSPs) worldwide, as documented by PwC and BAE Systems. It has also been observed in campaigns by APT27 (Emissary Panda) and in attacks against Japanese defense and technology sectors. No specific CVEs are associated with reGeorg itself; instead, it exploits pre-existing web vulnerabilities such as SQL injection or file upload flaws (e.g., CVE-2017-10271 for Oracle WebLogic) to gain initial access.
🔍 Detection Indicators
Behavioral signatures include anomalous HTTP traffic patterns—large POST requests to scripts named "reGeorg.jsp", "reGeorg.aspx", or "reGeorg.php"—and multiple concurrent connections from a single external IP to a web application. Known SHA256 hashes are not widely published, but the CISA Malware Analysis Report (MAR-xxxxxx) lists specific script variants. Network IOCs include User-Agent strings of outdated browsers and repetitive HTTP headers with custom parameters (e.g., "cmd", "type"). No registry keys or mutexes are used.
☠️ Risk & Impact
reGeorg enables attackers to pivot from a compromised web server into internal networks, facilitating lateral movement, credential theft, and exfiltration of sensitive data. Affected sectors include managed service providers, government agencies, defense contractors, and technology firms, with breaches often leading to financial losses from data theft and remediation costs. The tool's use in APT campaigns has been linked to long‑term espionage operations.
🛡️ Mitigation
Mitigations include deploying web application firewalls (WAF) to detect anomalous HTTP request sizes and patterns, regularly patching web server software and plug‑ins, scanning for unauthorized scripts in web directories, and using endpoint detection and response (EDR) tools to monitor for outbound proxy behavior. Organizations should also enforce least‑privilege access and implement network segmentation to limit lateral movement.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.