FRP
FRP (Fast Reverse Proxy) is a legitimate open-source reverse proxy and tunneling utility that exposes local services behind NAT or firewalls to externally reachable infrastructure. In intrusion activity, it is repeatedly used as dual-use tooling to establish reverse proxy tunnels, maintain persistent remote access, bypass network controls and firewalls, and proxy traffic such as RDP and command-and-control. The content states FRP supports TCP, UDP, KCP, QUIC, TCP stream multiplexing, proxy-aware client connections, JSON configuration files, and can be configured to require TLS.
Observed malicious use spans both Windows and Linux, including stock, modified, custom-compiled, and in-memory-loaded builds. Reported behaviors include tunneling RDP for persistent access; exposing local servers to the public internet; creating encrypted tunnels; and acting as a reverse tunnel component alongside other tooling such as GOST, Microsocks, Sliver, and VShell. Multiple reports describe modified FRP clients with hardcoded C2 callbacks or custom wrappers, including a Go DLL FRP v0.65.0 manually mapped in memory, and custom Windows/Linux builds used to proxy RDP traffic and raw TCP shells.
Threat actors and clusters explicitly associated with FRP in the content include Iron Tiger, Webworm, TeamPCP/PCPcat, Volt Typhoon, APT35, Magic Hound, Fox Kitten, Blue Mockingbird, and the China-linked cluster CL-UNK-1068. Additional reporting notes use by Iranian actors targeting U.S. organizations, by actors compromising cryptocurrency organizations, and in GeoServer exploitation chains where SideWalk used FRP as a plugin. Targeted environments and sectors mentioned in connection with FRP usage include government, critical infrastructure, telecommunications, aviation, energy, pharmaceuticals, technology, law enforcement, healthcare, financial/insurance, cloud/container infrastructure, cryptocurrency organizations, and internet-facing servers.
High-confidence indicators and configuration details directly mentioned in the content include FRP client version 0.37.1 in one intrusion; FRP v0.65.0 in another; server port 443 with TLS enabled and local_port 3389 in one analyzed configuration; and, in the CTRL toolkit, C:\ProgramData\frp\frpc.toml configured with serverAddr hui228.ru, serverPort 7000, auth token ADAD, and proxy definitions for RDP and a TCP shell. The content also cites custom FRP-related filenames and masquerading examples such as svchost.exe, dllhost.dll, cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe. In CL-UNK-1068 activity, custom-compiled FRP samples reportedly used the authentication token frpforzhangwei, a common password reported as f*ckroot123, and proxy naming conventions such as 10014-win-nic-32-v and 20012-linux-64-V.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild, and in several malware campaigns such as the emerald and nuts campaigns. ... CVE-2025-55182, which is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC) used in React.js, Next.js, and related frameworks.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We found the FRP tool being used on a Linux host, which is similar to Avast’s findings in a report that they published on the Iron Tiger threat actor. The FRP tool that we analyzed was a modified version, which was possibly copied off of Github.
While the group continued to use existing proxy solutions, specifically the Go-written iox (port forwarding and intranet proxy tool) and frp (fast reverse proxy)
FRP (Fast Reverse Proxy) is used to create reverse proxy tunnels, providing persistent remote access to compromised systems...
...using a mix of custom and public tools such as Microsocks, FRP, FScan, and Responder...
FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.
"a Fast Reverse Proxy (FRP) that can be used to reveal servers situated behind a network firewall or obscured through Network Address Translation (NAT)"
Blue Mockingbird has used frp... to establish SOCKS proxy connections.
FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.
Further, to maintain command-and-control (C2) access and bypass network controls, the actor also deploys modified builds of Fast Reverse Proxy (FRP)...
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueMirrorFace has used tools including the Secure Copy Protocol (SCP) client from PuTTY and Cobalt Strike. During Operation AkaiRyū, MirrorFace deployed multiple publicly available tools including PuTTY, FRP, and Rubeus.
Initial Access
2 techniquesEvery deployed Yarbo robot runs an Greengrass component named com.yarbo.frpc (version 1.0.17) that establishes and maintains a persistent outbound TCP tunnel to a remote server... configured to expose the robot's local SSH service to the internet.
The primary payload, tplink_stager.sh, was designed for post-exploitation of CVE-2024-21833, an OS command injection vulnerability affecting TP-Link Archer and Deco series routers.
Execution
4 techniquesThe FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher... installs itself into crontab... The FRP client is restarted by cron every minute if the process dies.
The FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher: # On first execution, installs itself into crontab (crontab -l ; echo " * * * * * bash $SCRIPT_PATH " ) | crontab -
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild... a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC)... An attacker can send malicious data that executes arbitrary code on your servers before any authentication occurs.
Persistence
3 techniquesThe FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher... installs itself into crontab... The FRP client is restarted by cron every minute if the process dies.
Every deployed Yarbo robot runs an Greengrass component named com.yarbo.frpc (version 1.0.17) that establishes and maintains a persistent outbound TCP tunnel to a remote server... configured to expose the robot's local SSH service to the internet.
Privilege Escalation
2 techniquesThe FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher... installs itself into crontab... The FRP client is restarted by cron every minute if the process dies.
Stealth
3 techniques"packed using Ultimate Packer for Executables (UPX)"; "UPX compressed"; PE sections include "UPX0/UPX1/UPX2"
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Discovery
1 techniqueThe content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
Lateral Movement
3 techniques“port 888 handles reverse tunnel connections… sets up… FRP reverse tunneling tools… allow attackers to maintain access even after the initial vulnerability is patched.”
Remote desktop access : Automated patching of termsrv.dll and installation of RDP Wrapper to enable unlimited concurrent RDP sessions...
Connect to the FRP server Send the Proxy command including the robot SN to the FRP server that then routes the connection to that robot's local port 22 SSH and login as root... With PermitRootLogin yes, anyone with a serial number has persistent root shell access to that robot from anywhere on the internet.
Command and Control
11 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
The tool used is FRP (Fast Reverse Proxy), an open-source Chinese-developed NAT traversal utility... configured to expose the robot's local SSH service to the internet.
"an open source Fast Reverse Proxy Client (FRPC) tool used to open a reverse proxy between the compromised system and a Volt Typhoon C2 server"; "designed to open a reverse proxy between the compromised system and the TA's C2 server"; "[plugin_socks5] ... plugin = socks5 ... remote_port = 1080"
The FRP client can be configured to connect to the server through a proxy. The server component of SystemBC has used SOCKS5 for C2 communication. Keydnap uses a copy of tor2web proxy for HTTPS communications.
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
Downloading microsocks binaries, GOST, FRP, and scanner modules from C2.
ShadowLink on port 7443; TeamPCP staging on 666, FRP on 888.
TeamPCP FRP reverse tunnel from victim SOCKS5 to C2:890.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
1 techniqueBecause the robot connects to the owner's Wi-Fi, an attacker with a root shell can... Exfiltrate data : use the robot's internet connection (via the FRP tunnel) as a covert outbound channel to exfiltrate data from internal hosts
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A fast reverse proxy utility used by Webworm and also serving as the inspiration/base for the custom WormFrp tool.
FRP is used by the toolkit as an embedded reverse proxy component to create tunnels for RDP and a raw TCP shell back to the operator-controlled server. In this case it is wrapped in a .NET loader, decrypted with AES-256-CBC, and loaded in memory via manual PE mapping.
Reverse proxy utility used to provide persistent remote access/tunneling into victim environments.
Reverse proxy/tunneling utility used to establish covert connectivity (including C2-style access) and bypass network controls; observed here in modified builds.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.