Skip to main content
Mallory
Back to malware
MalwareUsed by 5 actorsExploits 2 CVEs

Neo-reGeorg

Neo-reGeorg is a publicly available web shell and tunneling tool, derived from reGeorg, used to establish SOCKS5 proxying on compromised web servers for pivoting, tunneling, and persistent access. The content states it can establish a SOCKS5 proxy on a compromised web server and create multiple TCP connections for a single session. It has been observed as an ASPX and PHP web shell and is referenced as being hosted publicly on GitHub.

Across the cited reporting, Neo-reGeorg is used post-compromise on internet-facing servers, including Exchange/OWA and other web-accessible infrastructure, to enable webshell-based SOCKS pivoting into victim networks. Reported operators include MuddyWater, which used Neo-reGeorg alongside resocks and revsocks for tunneling and uploaded a Neo-reGeorg web shell named nfud.aspx to a Portuguese government-related Exchange server; Sandworm Team, which deployed the Neo-REGEORG web shell on an internet-facing server during the 2022 Ukraine Electric Power Attack; China-linked espionage activity tracked by Palo Alto Networks Unit 42 as TGR-STA-1030/UNC6619, which used web shells including Behinder, Neo-reGeorg, and Godzilla; Murky Panda/Silk Typhoon, which deployed Neo-reGeorg for persistence before dropping CloudedHope; and UNC5174/Houken, which used publicly available web shells including Behinder and Neo-reGeorg together with GOREVERSE and suo5 for persistence and proxying.

The content also notes broader incident-response observations that Neo-reGeorg-derived web shells appeared in multiple adversary attack chains, including a PHP shell named 401.php observed by Cisco Talos. A specific active instance was reported at https://mail.sef.pt/aspnet_client/system_web/4_0_30319/nfud.aspx, and one recovered tunnel key was 123QWEasd. High-confidence behaviors directly mentioned in the content are web-shell deployment on compromised systems, establishment of SOCKS5 proxying, support for multiple TCP connections per session, and use for persistence, lateral movement support, and network pivoting.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2025-3928Authenticated webshell upload and execution in Commvault Web ServerExploited in the wild

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).

via the hacker newsthehackernews.com
CVE-2023-3519Unauthenticated RCE in Citrix NetScaler ADC and NetScaler GatewayExploited in the wild

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

MuddyWater was observed leveraging the Chinese-developed tool Neo-reGeorg to perform webshell-based SOCKS pivoting.

via ctrlaltintel blogctrlaltintel.com
hafnium

"The initial access is leveraged to deploy web shells like neo-reGeorg to establish persistence and ultimately drop a custom malware called CloudedHope."

via the hacker newsthehackernews.com
UNC5174

Persistent access establishment via reverse shells (GOREVERSE) and proxy tools (Neo-reGeorg, suo5).

via wiz cloud threatsthreats.wiz.io
Sandworm

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the Neo-REGEORG webshell on an internet-facing server.

via mitre attackattack.mitre.org
TGR-STA-1030

Web shells - Behinder, neo-reGeorg, and Godzilla

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1
TacticResource Development

Open-source tools: Neo-reGeorg, resocks, revsocks, patator

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

Known vulnerabilities MuddyWater attempted to scan and/or exploit the below CVEs... We observed the threat actor target multiple Fortinet related CVEs... MuddyWater also performed mass-exploitation of CVE-2025-9316... Additionally, MuddyWater identified and exploited novel SQL injection vulnerabilities in two websites.

Execution

1 technique
T1059.006PythonEvidence1
TacticExecution

Persistence

1 technique
T1505.003Web ShellEvidence8
TacticPersistence

MuddyWater compromised the Exchange server of a Portuguese immigration government-related domain, uploading a Neo-reGeorg web-shell to facilitate access to the internal network.

Lateral Movement

1 technique
T1021.004SSHEvidence1
TacticLateral Movement

Both actors leveraged ProxyChains, SOCKS5 tunneling, and SSH for initial access, as well as additional tooling such as Chisel, CrackMapExec, Impacket, and Neo-reGeorg.

Command and Control

8 techniques
T1071.001Web ProtocolsEvidence4
TacticCommand and Control

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

T1090ProxyEvidence4
TacticCommand and Control

The Fire Ant actors then accessed internal Web servers and deployed network tunneling Web shells based on the open source project Neo-reGeorg, which created encrypted application-layer tunnels to additional parts of the victims' networks.

T1090.002External ProxyEvidence1
TacticCommand and Control

MuddyWater was observed leveraging the Chinese-developed tool Neo-reGeorg to perform webshell-based SOCKS pivoting... Additionally, the tool resocks was used... Similarly, an alternative tool revsocks was also used

T1090.004Domain FrontingEvidence1
TacticCommand and Control

Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...

T1095Non-Application Layer ProtocolEvidence1
TacticCommand and Control
T1105Ingress Tool TransferEvidence1
TacticCommand and Control
T1132.002Non-Standard EncodingEvidence1
TacticCommand and Control
T1572Protocol TunnelingEvidence6
TacticCommand and Control

Examples include 'reGeorg can use HTTP to tunnel connections in and out of targeted networks' and 'Neo-reGeorg can use customized HTTP headers.'

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
ip.v4●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
ctrlaltintel blogNews
Mar 4, 2026
MuddyWater Exposed: Inside an Iranian APT operation - Ctrl-Alt-Intel

A webshell-based SOCKS tunneling tool used for pivoting through compromised servers into internal victim networks.

Read more
breakglass intelNews
Mar 3, 2026
MuddyWater Exposed: An Iranian APT's Entire Offensive Toolkit Recovered from an Open Directory - Breakglass Intelligence - Breakglass Intelligence

Webshell and tunneling utility used to establish covert access and proxy traffic through compromised web servers.

Read more
the hacker newsNews
Feb 16, 2026
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

Webshell-based tunneling/pivoting tool referenced as used in China-nexus intrusion activity.

Read more
rescana blogNews
Feb 8, 2026
TGR-STA-1030 Cyberespionage: ShadowGuard Linux Rootkit Targets SAP Solution Manager, Microsoft Exchange, and 70 Global Critical Infrastructure Entities

Web shell/tunneling utility used to pivot and proxy traffic through compromised web servers for persistence and internal access.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.