FRPC
FRPC is the Fast Reverse Proxy client, an open-source Golang command-line tool derived from FRP and frequently observed in intrusions as a reverse proxy and tunneling utility. The provided content describes both stock and modified FRPC variants used to open reverse proxy connections between compromised hosts and attacker-controlled infrastructure, enabling access to systems behind NAT or firewalls. Reported capabilities include reverse proxying over TCP, UDP, HTTP, and HTTPS; support for encryption, compression, and token-based authentication; SOCKS5 proxying; and tunneling of Remote Desktop Protocol (RDP) over TLS. In one CISA malware analysis tied to Volt Typhoon, a UPX-packed 64-bit Windows FRPC sample (SMSvcService.exe, SHA-256 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1) was configured with server_addr 192.168.18.111, server_port 8081, remote_port 1080, plugin socks5, tls_enable true, and protocol tcp. Another reported FRPC IOC hash is 2587217bc685527480c803ddf34a56ae9d9bf02681828a8a2081acc775312cf3. The content associates FRPC use with multiple threat actors, including Fox Kitten/Pioneer Kitten/UNC757 and Volt Typhoon. Fox Kitten was reported using FRPC and Go Proxy to establish connections from C2 to local servers, and CISA/FBI described a modified FRPC used by the Iran-linked actor as a persistence mechanism, including tunneling RDP over TLS and operation over port 7557. The advisory also noted persistence via a scheduled task named lpupdate running a binary named svchost daily to launch FRPC. Targeting described in the source material includes U.S. federal agencies and sectors such as information technology, government, healthcare, financial, insurance, and media, as well as a U.S. critical infrastructure environment compromised by Volt Typhoon.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"This packed file contains a compiled version of an open-source tool published on GitHub called \"FRPC\". The \"FRPC\" is a command-line tool written in Golang that is designed to open a reverse proxy between the compromised system and the TA's C2 server."
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
"we have observed wide exploitation of ... recently Log4Shell... focusing around exploitation of VMware Horizon Log4j vulnerabilities." | "we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379)" | "we have observed wide exploitation of ... Microsoft Exchange (ProxyShell)"
Execution
1 techniquePersistence
2 techniquesThe threat actor installed and used FRPC ( frpc.exe ) on both NetScaler and internal devices. The task was named lpupdate and the binary was named svchost , which was the reverse proxy. The threat actor executed this command daily.
Privilege Escalation
1 techniqueStealth
3 techniques"packed using Ultimate Packer for Executables (UPX)"; "UPX compressed"; PE sections include "UPX0/UPX1/UPX2"
The threat actor used FRPC ( frpc.exe ) daily as reverse proxy, tunneling RDP over TLS. The FRPC ( frpc.exe ) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.
The FRPC ( frpc.exe ) binary name was svchost , and the configuration file was dllhost.dll , attempting to masquerade as a legitimate Dynamic Link Library.
Lateral Movement
1 techniqueThe threat actor used RDP to log in and then conduct lateral movement.
Command and Control
8 techniques"attempts to establish a connection with the Fast Reverse Proxy Server (FRPS)"; "supports encryption, compression, and allows easy token authentication"; "supports ... TCP ... UDP ... HTTP ... HTTPS"; "tls_enable = true"
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
Symantec's published indicators point to a wider intrusion kit... FRPC for tunneling traffic out...
The threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
"attempted to download ngrok" and "Download and execution of tunneling tools, including Plink and Ngrok"; also mentions transfer.sh, ufile.io, raw.githubusercontent.com.
The threat actor used FRPC.exe to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named tool listed in the IoCs, commonly used for proxying or tunneling network traffic to support covert access or exfiltration.
A named tool listed in the IOCs. FRPC commonly refers to the Fast Reverse Proxy client, suggesting possible tunneling or remote connectivity use, though the content does not describe its role in this intrusion.
Client component/tooling used for reverse proxying to connect C2 to internal/local services.
Client component used for reverse proxying to connect C2 infrastructure to internal/local services.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.