S1187: reGeorg
Analyst context for executives and security teams
reGeorg matters because it turns a compromised web-facing system into a proxy and tunnel. In business terms, that can let an intruder route traffic through trusted infrastructure, bypass simple firewall assumptions, and reach systems that were not meant to be exposed externally. The key defensive question is not only “can we find this tool,” but “would our web, proxy, network, and identity telemetry show unusual tunneling and follow-on remote access if a web shell became a gateway into the environment?”
Executive priority
Prioritize reGeorg as a web-exposure and network-segmentation risk. ATT&CK describes it as an open-source Python web shell used to proxy and tunnel data, with relationships to web shell persistence, protocol tunneling, proxy use, web protocols, tool transfer, and remote access techniques such as RDP, SMB/admin shares, and SSH. Leaders should ask whether internet-facing servers and network devices have sufficient logging, egress controls, segmentation, and incident-response playbooks to prove that a compromised web service cannot quietly become an internal access path.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the behavior chain rather than a single signature. The supplied ATT&CK object has no official detection text, so local detection should focus on suspicious web shell presence on web servers, Python execution where unexpected, HTTP/S traffic patterns consistent with tunneling or proxying, unusual inbound-to-outbound relay behavior, and internal access attempts over RDP, SMB/admin shares, or SSH following web-server compromise. Relationship context links reGeorg to T1505.003, T1572, T1090, T1071.001, T1095, T1105, T1059.006, and T1021 sub-techniques, so triage should connect web-layer anomalies with network flow and authentication evidence.
Likely telemetry
- Web server access logs and error logs for unusual request patterns to web-accessible scripts
- File integrity or endpoint telemetry on web roots and application directories for unexpected web shell files
- Process execution telemetry showing Python interpreter or script execution on servers where that is not expected
- Network flow, proxy, and firewall logs showing web servers acting as relay points or initiating unusual outbound connections
- HTTP/S inspection metadata where available, including user agent, URI, request size, response size, and long-lived or repetitive sessions
Detection direction
- Start with asset context: identify internet-facing web servers, network devices with web interfaces, and systems where Python execution is legitimate versus unusual.
- Correlate web shell indicators with tunneling indicators; a single odd web request may be noisy, but web script changes plus unusual outbound network sessions from the same host materially raises priority.
- Tune for web servers initiating connections to internal management services such as RDP, SMB/admin shares, or SSH, especially when those paths violate expected segmentation.
- Review proxy and firewall policies for allowed outbound HTTP/S from servers; reGeorg-like behavior can blend into web protocols, so metadata and flow behavior may be more useful than simple port-based alerts.
- Use the ATT&CK group relationships as threat-intelligence context only: APT28, APT29, and Ember Bear are listed as using this object, but that does not by itself prove local targeting or current activity.
Mitigation priorities
- Reduce exposed attack surface for web applications and administrative web interfaces, especially on systems that can reach sensitive internal networks.
- Enforce least-privilege egress from web servers and network devices; web-facing systems should not have broad outbound or east-west access unless required.
- Segment access to RDP, SMB/admin shares, and SSH so a compromised web host cannot become a general-purpose pivot point.
- Monitor and control Python availability and execution on production servers according to operational need, without assuming Python presence is malicious by itself.
- Maintain file integrity monitoring and deployment baselines for web roots so unauthorized web shell placement is easier to investigate.
Analyst notes and limits
The strongest decision value is in validating whether the environment can see and contain proxy/tunnel behavior from web-facing assets. reGeorg’s open-source nature and ATT&CK relationships make it useful for mapping coverage across persistence, command-and-control, execution, ingress transfer, and lateral-movement adjacency, but defenders should base prioritization on local exposure, segmentation, and telemetry quality.
The supplied ATT&CK object does not specify tactics for the malware object itself and provides no official detection text. This take uses only the supplied description, platforms, external references, and relationships. It does not assert active exploitation, customer exposure, or guaranteed detection. Local confirmation requires environment-specific logs, baselines, and asset context.
reGeorg
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.006 | Python Sub-technique | reGeorg is a Python-based web shell.CitationGitHub reGeorg 2016 |
| Enterprise | T1572 | Protocol Tunneling | reGeorg can tunnel TCP sessions including RDP, SSH, and SMB through HTTP.CitationFortinet reGeorg MAR 2019CitationMandiant APT29 Eye Spy Email Nov 22CitationCadet Blizzard emerges as novel threat actor |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | reGeorg can be used to tunnel RDP connections.CitationFortinet reGeorg MAR 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | reGeorg has the ability to download files to targeted systems.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1021.004 | SSH Sub-technique | reGeorg can communicate using SSH through an HTTP tunnel.CitationFortinet reGeorg MAR 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | reGeorg can use HTTP to tunnel connections in and out of targeted networks.CitationFortinet reGeorg MAR 2019 |
| Enterprise | T1090 | Proxy | reGeorg can establish an HTTP or SOCKS proxy to tunnel data in and out of a network.CitationGitHub reGeorg 2016CitationFortinet reGeorg MAR 2019CitationMandiant APT29 Eye Spy Email Nov 22 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | reGeorg has the ability to tunnel SMB sessions.CitationFortinet reGeorg MAR 2019 |
| Enterprise | T1505.003 | Web Shell Sub-technique | reGeorg is a web shell that has been installed on exposed web servers for access to victim environments.CitationMandiant APT29 Eye Spy Email Nov 22CitationCadet Blizzard emerges as novel threat actor |
| Enterprise | T1095 | Non-Application Layer Protocol | reGeorg can tunnel TCP sessions into targeted networks.CitationFortinet reGeorg MAR 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 806687b64a2c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Fortinet reGeorg MAR 2019
FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024.
Open source URL -
[2]
GitHub reGeorg 2016
xl7dev. (2016). reGeorg-master. Retrieved December 3, 2024.
Open source URL -
[3]
mitre-attack S1187Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.