Ngrok
ngrok is a legitimate publicly available tunneling and proxy utility that exposes local ports and services to the internet, including systems behind NAT or firewalls, optionally over TLS-encrypted tunnels. In the provided reporting it is repeatedly described as being abused by threat actors as a dual-use tool rather than as a bespoke malware family. Observed malicious uses include establishing encrypted tunnels for inbound remote access, proxying command-and-control traffic to ngrok service subdomains, tunneling RDP sessions, exposing compromised internal servers, and configuring servers for data exfiltration. Multiple reports describe ngrok being deployed as a persistence or access-enablement mechanism on compromised hosts, including internal servers and VMware Horizon servers, and in one case being renamed to conhost.exe and executed via a VBS script with an ngrok.yml configuration file. Threat activity in the content associates ngrok use with Kimsuky-related intrusions, UNC3944/Scattered Spider tradecraft, Iranian-aligned TunnelVision activity, Pioneer Kitten/UNC757 and COBALT FOXGLOVE/Fox Kitten operations, the SMOKEDHAM/UNC2465 supply-chain intrusion, and destructive operations attributed to Twelve. High-confidence artifacts and behaviors mentioned include tunneling of malicious RDP connections through ngrok, download attempts from transfer.sh, execution with configuration file ngrok.yml, and network connections to external ngrok cloud infrastructure over TCP 443.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...the threat actor attempted to download ngrok to a compromised VMware Horizon server" and later "Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic."
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat actor uses the additionally installed malware strains and proxy tools, such as Ngrok, to establish a proxy network environment.
The malicious RDP connections to the system are tunneled through ngrok.
"ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS."
"...the threat actor attempted to download ngrok to a compromised VMware Horizon server" and later "Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic."
...various covert tunneling tools, such as NGROK, RSOCX, and Localtonet.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesInstances of ngrok were launched on these internal servers, exposing them through encrypted tunnels to the threat actor’s infrastructure. These tunnels enabled continued inbound access for Remote Desktop Protocol (RDP) sessions without requiring exposed firewall ports.
"we have observed wide exploitation of ... recently Log4Shell... focusing around exploitation of VMware Horizon Log4j vulnerabilities."
Execution
2 techniquesLateral movement was further supported by Windows Management Instrumentation (WMI)-based remote execution, which was used to deploy and launch ngrok on additional devices from compromised web servers.
Alternatively, analysts can use Florian’s sigma rule that looks at command line parameters used by ngrok. Searching for ngrok activity via its command line patterns.
Persistence
2 techniquesInstances of ngrok were launched on these internal servers, exposing them through encrypted tunnels to the threat actor’s infrastructure. These tunnels enabled continued inbound access for Remote Desktop Protocol (RDP) sessions without requiring exposed firewall ports.
Privilege Escalation
1 techniqueStealth
2 techniquesThreat actors are using the tools’ legitimately signed certificates to help bypass security mechanisms... Host security bypass: Security tools, such as antivirus or endpoint detection and response tools, often fail to detect remote-access software because it uses legitimate certificates and exclusion paths.
The threat actor used FRPC ( frpc.exe ) daily as reverse proxy, tunneling RDP over TLS. The FRPC ( frpc.exe ) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.
Lateral Movement
4 techniquesFor this purpose, Scattered Spider established persistence using VPN access or Remote Monitoring and Management (RMM) tools.
Creating an RDP tunnel by ngrok leaves a source address value of ::%16777216 in the system’s RDP event logs.
Once inside, Pioneer Kitten frequently leverages SSH tunnels, proxy tools (e.g., ngrok, ligolo), or compromised Linux systems to reach Windows and cloud systems.
expose remote desktop service ports, like RDP and WinRM, to the open internet
Command and Control
10 techniquesThe ngrok agent prior to creating the tunnel, will first fetch the ngrok tunneling servers domains and IP addresses list from https://s3.amazonaws.com/dns.ngrok.com/tunnel.json.
Creating an RDP tunnel by ngrok leaves a source address value of ::%16777216 in the system’s RDP event logs.
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
The NGROK utility is used by the threat actors to circumvent firewalls and expose remote desktop service ports.
The threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
Annotations ID Technique Tactic T1102 Web Service Command And Control
"attempted to download ngrok" and "Download and execution of tunneling tools, including Plink and Ngrok"; also mentions transfer.sh, ufile.io, raw.githubusercontent.com.
RMM tools are being exploited in several ways: Threat actors are using the tools’ legitimately signed certificates to help bypass security mechanisms, employing network encryption and legitimate network relays to proxy connection to a victim, and securing remote desktop-like access to client machines, among other actions.
APT41 has used DGAs to change their C2 servers monthly. Aria-body has the ability to use a DGA for C2 communications. Astaroth has used a DGA in C2 communications. Bazar can implement DGA using the current date as a seed variable.
The threat actor used FRPC.exe to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.
Exfiltration
2 techniquesADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate tunneling utility abused by the threat actor to expose internal systems through encrypted tunnels, enable covert inbound RDP access, support persistence, and mask the true source of lateral movement.
Legitimate tunneling service often abused by threat actors to create outbound tunnels for remote access and C2.
Legitimate tunneling service abused to proxy/tunnel RDP and other traffic, obscuring attacker infrastructure and enabling access to internal services.
A proxy/tunneling tool used by the threat actor to establish a proxy network environment during intrusions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.