reGeorg
reGeorg is a web shell and tunneling tool used to maintain access on compromised web servers and pivot into victim networks. It acts as an HTTP or SOCKS proxy and can tunnel TCP sessions, including RDP, SMB, and SSH, through HTTP/HTTPS to move data in and out of a network and bypass firewalls and proxies. The content describes HackTool:JS/ReGeorg as using JavaScript-based web shell components to hide malicious traffic within normal HTTP/HTTPS communications, with small server-side scripts placed in public web directories that accept commands via HTTP query strings and open bidirectional socket connections. Reported server-side components include JavaScript, ASP, JSP, and ASPX variants, and the tool has been observed on exposed web servers and Outlook Web Access (OWA) servers.
reGeorg has been used by multiple threat actors. APT28 used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target OWA server, and reporting noted UNC3524 used a REGEORG instance identical to the version publicly reported by NSA as used by APT28. LuckyMouse installed a variant of the ReGeorg web shell during Exchange exploitation activity. Other reporting cited deployment of reGeorg or similar tunnel-capable web shells by actors including Ember Bear, FIN13, and Gelsemium-linked activity, and a ReGeorg-like web shell was reported in the FrostyGoop incident and in activity involving Tor-accessed tunneling web shells.
Observed behaviors in the content include tunneling RDP connections, tunneling SMB sessions, communicating using SSH through an HTTP tunnel, and establishing HTTP or SOCKS proxy channels for lateral movement and persistence. The content also states that reGeorg may be deployed after initial access obtained through exploitation of public-facing applications, including CVE-2021-26084 and CVE-2025-0282, or via phishing or drive-by download. Additional reported artifacts include command handling through Request.QueryString.Get("cmd"), base64-encoded commands, file paths such as C:\Windows\Temp\tunnel.js and /var/www/html/login.jsp, associated processes Wscript.exe, Cscript.exe, and Scilc.exe, registry modifications under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name "scilc" and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ with value name "WinHTTPProxy", network indicators 91[.]210.104[.]31, 185[.]202.0[.]219, host range 91[.]210.104[.]0/22, and domains office365-cloud[.]org and update-global[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
8 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Use known vulnerabilities — CVE 2020-0688 and CVE 2020-17144 — to establish persistent access and escalate privileges, which means gaining administrative control of servers and systems.
Use known vulnerabilities — CVE 2020-0688 and CVE 2020-17144 — to establish persistent access and escalate privileges, which means gaining administrative control of servers and systems.
"LuckyMouse... began its attack by dropping the Nbtscan tool, installing a variant of the ReGeorg web shell..."
"LuckyMouse... began its attack by dropping the Nbtscan tool, installing a variant of the ReGeorg web shell..."
"LuckyMouse... began its attack by dropping the Nbtscan tool, installing a variant of the ReGeorg web shell..."
"LuckyMouse... began its attack by dropping the Nbtscan tool, installing a variant of the ReGeorg web shell..."
Threat behavior HackTool:JS/ReGeorg is a tunneling tool that uses JavaScript to hide malicious traffic behind the legitimacy of HTTP/HTTPS protocols to get around network firewalls and proxies.
Threat behavior HackTool:JS/ReGeorg is a tunneling tool that uses JavaScript to hide malicious traffic behind the legitimacy of HTTP/HTTPS protocols to get around network firewalls and proxies.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ReGeorg — A web shell used to maintain persistent access to a compromised system.
APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.
"LuckyMouse... began its attack by dropping the Nbtscan tool, installing a variant of the ReGeorg web shell..."
"One interesting aspect of UNC3524’s use of REGEORG was that it matched identically with the version publicly reported by the NSA as used by APT28."
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesReGeorg typical function begins with some known vulnerabilities like CVE-2021-26084 or CVE-2025-0282 for initial access, usually via a phishing or drive-by download.
ReGeorg typical function begins with some known vulnerabilities like CVE-2021-26084 or CVE-2025-0282 for initial access
ReGeorg typical function begins with some known vulnerabilities like CVE-2021-26084 or CVE-2025-0282 for initial access, usually via a phishing or drive-by download.
Execution
2 techniquesPersistence
4 techniquesBoot or logon initialization scripts, scheduled tasks, valid accounts, manipulating accounts, creating accounts, server software component, create/modify system process, event triggered execution, boot or logon autostart execution, hijack execution flow (MITRE ATT&CK: T1037, T1053, T1078, T1136, T1505, T1543, T1546, T1547, T1574)
CISA has identified 10 webshells associated with this activity... A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ (value: WinHTTPProxy)
Privilege Escalation
2 techniquesStealth
1 techniqueOnce ReGeorg has established its presence, it will base64 encode the command to provide additional commands.
Lateral Movement
5 techniquesIt opens sockets to give both sides a connection for SSH or RDP traffic through TCP ports 80 and 443
The scripts use OS native tools to launch like scilc.exe and lateral movement after getting a foothold.
Command and Control
8 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Webshells are utilized for the following purposes: To use as a relay point to issue commands to hosts inside the network without direct internet access;
reGeorg can communicate using SSH through an HTTP tunnel.
Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
Examples include 'reGeorg can use HTTP to tunnel connections in and out of targeted networks' and 'Neo-reGeorg can use customized HTTP headers.'
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Web shell/tunneling utility used to establish covert connectivity (often via HTTP) through a compromised web server.
Web shell/tunneling tool used to pivot through compromised web servers and proxy traffic into internal networks.
Web shell-based SOCKS proxy/tunneling utility used to pivot through compromised web servers by tunneling TCP over HTTP.
Web shell/tunneling tool used to proxy or tunnel RDP connections into victim environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.