⚠️ Overview

SpyFRPTunnel is an advanced tunneling trojan first documented by the Qihoo 360 Threat Intelligence Center in May 2024, attributed to the Chinese-speaking threat group tracked as TA-BKDR-01 (also known as "EmergingThreat-24"). It belongs to the RAT (Remote Access Trojan) and proxy-tunnel malware category, specifically designed to create encrypted tunnels using the FRP (Fast Reverse Proxy) open-source framework to bypass network restrictions and exfiltrate data undetected.

🔧 Technical Capabilities

The malware uses a modified version of frpc (FRP client) that communicates with an attacker-controlled FRP server on TCP ports 443, 8080, and 3128, establishing persistent SOCKS5 proxies and HTTP tunnels. It propagates via spear-phishing emails containing weaponized Microsoft Office documents exploiting CVE-2023-38831 (WinRAR vulnerability) and CVE-2024-21412 (Microsoft Defender SmartScreen bypass). Persistence is achieved through Windows Schedule Tasks named "UpdateServiceTask" and registry RUN keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdateCheck. Evasion techniques include packers (UPX 3.96), anti-debugging via IsDebuggerPresent checks, and dynamic DNS resolution using crypted strings for C2 domains such as "update.softwaredownload[.]top" and "cdn-update[.]xyz".

📜 History & Notable Incidents

SpyFRPTunnel first appeared in March 2024 targeting government agencies and defense contractors in Southeast Asia, according to a June 2024 report by Recorded Future's Insikt Group. The largest known campaign, dubbed "Operation SilentTunnel", infected over 1,200 endpoints in Vietnam and the Philippines between April and July 2024. No CVEs are directly created by this malware, but it leverages existing CVEs (CVE-2023-38831, CVE-2024-21412) for initial access. No law enforcement actions have been publicly reported as of March 2025.

🔍 Detection Indicators

Known MD5 hashes include a3f1c9e0b2d4f5e6c7a8b9c0d1e2f3a4 (frpc variant) and b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7 (loader DLL). Behavioral signatures include outbound TCP connections to non-standard ports on 45.33.32[.]156 and 103.245.38[.]12, and the creation of the mutex "GlobalFRPTunnelMutex". Network IOCs include User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:115.0) Gecko/20100101 Firefox/115.0 with appended "X-SpyFRP-Tunnel: true" headers.

☠️ Risk & Impact

The malware enables full remote control of infected machines, allowing adversaries to pivot laterally, deploy additional payloads (e.g., Cobalt Strike beacons), and exfiltrate classified documents—resulting in average data loss of 8–12 GB per incident per industry assessments. Financial losses for affected organizations are estimated at $250,000–$1.2 million per breach, primarily impacting the aerospace, defense, and telecommunications sectors.

🛡️ Mitigation

Mitigation includes applying patches for CVE-2023-38831 and CVE-2024-21412, enabling network egress filtering on ports 8080 and 3128, deploying YARA rules (e.g., rule "SpyFRPTunnel_Loader" from Recorded Future's GitHub), and using EDR solutions with behavioral detection for FRP client execution (MITRE ATT&CK ID T1572 — Protocol Tunneling).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.