reGeorg
ID: S1187
ⓘ
Type: MALWARE
ⓘ
Platforms: Network Devices, Windows, macOS, Linux
Version: 1.0
Created: 06 January 2025
Last Modified: 15 April 2025
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
reGeorg can use HTTP to tunnel connections in and out of targeted networks.[1] |
| Enterprise | T1059 | .006 | Command and Scripting Interpreter: Python | |
| Enterprise | T1105 | Ingress Tool Transfer |
reGeorg has the ability to download files to targeted systems.[3] |
|
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1572 | Protocol Tunneling |
reGeorg can tunnel TCP sessions including RDP, SSH, and SMB through HTTP.[1][4][5] |
|
| Enterprise | T1090 | Proxy |
reGeorg can establish an HTTP or SOCKS proxy to tunnel data in and out of a network.[2][1][4] |
|
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
| .002 | Remote Services: SMB/Windows Admin Shares | |||
| .004 | Remote Services: SSH |
reGeorg can communicate using SSH through an HTTP tunnel.[1] |
||
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
reGeorg is a web shell that has been installed on exposed web servers for access to victim environments.[4][5] |
Groups That Use This Software
References
- Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- Paganini, P. (2023, October 27). France agency ANSSI warns of Russia-linked APT28 attacks on French entities. Retrieved December 3, 2024.