S1189: Neo-reGeorg
Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usability, security, and fixes for exising reGeorg bugs.[1]
Analyst context for executives and security teams
Neo-reGeorg matters because it is an open-source web shell associated in ATT&CK with web-shell persistence, proxying, tunneling, web-protocol command and control, and tool transfer across Windows, macOS, Linux, and network-device environments. For leaders, the business issue is not the tool name alone; it is whether internet-facing web infrastructure and network devices can be monitored well enough to spot unauthorized server-side scripts and tunneled traffic before they become a durable access path into the environment.
Executive priority
Treat this as a resilience and incident-readiness concern for exposed web services and network devices. Ask whether teams can prove: which systems can host web-accessible scripts, whether file integrity and web logs are retained, whether outbound web traffic from servers is monitored, and whether incident responders can quickly distinguish legitimate administration from proxy/tunnel behavior. Because ATT&CK provides no official detection text for this software, leadership should prioritize evidence of coverage rather than assume tool-specific detections exist.
Technical view
Validate coverage around the related ATT&CK behaviors: Web Shell (T1505.003), Web Protocols (T1071.001), Proxy (T1090), Non-Application Layer Protocol (T1095), Ingress Tool Transfer (T1105), Non-Standard Encoding (T1132.002), Protocol Tunneling (T1572), and Python execution (T1059.006). SOC and IR teams should focus on exposed web servers and supported platforms listed by ATT&CK: Network Devices, Windows, macOS, and Linux. Since no official detection is provided, detection engineering should be behavior-led: unexpected web-accessible files, unusual web server child process activity, anomalous HTTP/S patterns, server-initiated outbound connections, signs of tunneling/proxy behavior, and suspicious file transfer into or from web-hosting paths.
Likely telemetry
- Web server access logs and error logs
- File creation, modification, and integrity monitoring for web roots and application directories
- Process execution telemetry from web servers, including interpreter activity such as Python where present
- Network flow records for server-to-internet and server-to-internal connections
- HTTP/S proxy, gateway, or reverse-proxy logs where available
Detection direction
- Build detections around behavior rather than only Neo-reGeorg-specific indicators, because ATT&CK does not provide official detection logic for this object.
- Hunt for web server processes initiating unusual outbound connections, acting as intermediaries, or communicating over web protocols inconsistent with normal application behavior.
- Review newly created or modified scripts in web-accessible directories, especially where change-management records do not explain the activity.
- Correlate web requests with process execution, file writes, and outbound network flows to distinguish normal application traffic from web-shell, proxy, or tunnel behavior.
- Tune for false positives from legitimate web administration, health checks, reverse proxies, developer tooling, and managed file deployments; require local baselines for each application and device class.
Mitigation priorities
- Prioritize hardening and monitoring of internet-facing web servers and network devices that can host or expose web-accessible scripts.
- Enforce least privilege for web service accounts and restrict write access to web roots and application directories.
- Maintain patching and configuration hygiene for web applications and web management interfaces to reduce opportunities for web-shell placement.
- Restrict unnecessary outbound connectivity from servers and network devices, especially where web-facing systems do not require direct internet egress.
- Implement file integrity monitoring and change-control validation for web-hosted content and server-side scripts.
Analyst notes and limits
The official object identifies Neo-reGeorg as an open-source web shell restructured from reGeorg with usability, security, and bug-fix improvements. ATT&CK relationships map it to multiple command-and-control and persistence behaviors and indicate use by Sandworm Team. The practical defensive value is to validate whether the organization can detect unauthorized web-accessible code and abnormal proxy/tunnel behavior on the platforms ATT&CK lists.
ATT&CK provides no official detection guidance, no aliases, no tactics directly on the software object, and limited descriptive detail beyond the external GitHub reference and relationships. This take avoids asserting active exploitation, customer exposure, or guaranteed detection. Local application architecture, logging depth, egress policy, and change-management data are required to assess real coverage.
Neo-reGeorg
Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usability, security, and fixes for exising reGeorg bugs.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1572 | Protocol Tunneling | Neo-reGeorg can tunnel data in and out of targeted networks.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Neo-reGeorg has the ability to download files to targeted systems.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | Neo-reGeorg can create multiple TCP connections for a single session.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Neo-reGeorg can use customized HTTP headers.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1090 | Proxy | Neo-reGeorg has the ability to establish a SOCKS5 proxy on a compromised web server.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1059.006 | Python Sub-technique | Neo-reGeorg is a Python-based web shell.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Neo-reGeorg can use modified Base64 encoding to obfuscate communications.CitationGitHub Neo-reGeorg 2019 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Neo-reGeorg can be installed on compromised web servers to tunnel C2 connections.CitationGitHub Neo-reGeorg 2019CitationMandiant-Sandworm-Ukraine-2022 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7873581a249d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Neo-reGeorg 2019
L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
Open source URL -
[2]
mitre-attack S1189Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.