MalwareUsed by 1 actor

Fast Reverse Proxy Server

Fast Reverse Proxy Server (FRPS) is a network tunneling utility observed in the Shadow Campaigns conducted by the state-aligned threat group tracked by Palo Alto Networks Unit 42 as TGR-STA-1030, also known as UNC6619. Across reporting on activity from at least January 2024 through February 2026, FRPS was used alongside GO Simple Tunnel (GOST) and IOX to tunnel desired network traffic after compromise. The broader intrusion set targeted at least 70 government and critical infrastructure organizations across 37 countries, including ministries, law enforcement, border control, finance, energy, telecommunications, mining, trade, and parliamentary entities, with activity assessed as aligned to Chinese regional interests. Initial access in those operations was achieved through tailored phishing using MEGA-hosted archives delivering the Diaoyu Loader and through exploitation of known vulnerabilities in public-facing systems such as SAP Solution Manager and Microsoft Exchange Server. FRPS was part of a larger toolset that also included Cobalt Strike, VShell, Havoc, Sliver, SparkRat, and web shells such as Behinder, Neo-reGeorg, and Godzilla. The provided content does not describe FRPS-specific persistence, payload delivery, or standalone indicators of compromise beyond its use as a tunneling tool in this campaign.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TGR-STA-1030

"...network tunneling tools such as GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX."

via bleeping computerbleepingcomputer.com

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

rescana blogNews

Feb 8, 2026

TGR-STA-1030 Cyberespionage: ShadowGuard Linux Rootkit Targets SAP Solution Manager, Microsoft Exchange, and 70 Global Critical Infrastructure Entities

Reverse proxy component used to tunnel traffic and enable access/pivoting through compromised environments.

bleeping computerNews

Feb 7, 2026

State actor targets 155 countries in 'Shadow Campaigns' espionage op

Reverse proxy component used to expose internal services and relay traffic, supporting lateral movement and C2 obfuscation.

palo alto networks unit 42 blogNews

Feb 5, 2026

The Shadow Campaigns: Uncovering Global Espionage

Reverse proxy/tunneling component used to tunnel traffic in support of C2 and access operations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.