MalwareUsed by 10 actorsExploits 2 CVEs

Neo-reGeorg

Neo-reGeorg is a publicly available web shell and tunneling tool derived from reGeorg that is used to proxy traffic through a compromised web server into internal networks. The reporting consistently describes it as providing encrypted footholds on web servers and establishing SOCKS5 proxying for webshell-based pivoting; it can create multiple TCP connections for a single session. Mentioned variants include JSPX/JSP web shells with AES-encrypted channels and custom Base64 encoding, and reporting also references ASPX, PHP, Go, and ASHX variants. It has been observed deployed on compromised internet-facing servers and web applications, including IIS and Exchange-related infrastructure, to maintain persistent access and tunnel attacker traffic over HTTP.

The tool appears across multiple intrusion sets and campaigns. CloudSEK reported Neo-reGeorg as part of Operation Escaneo, attributed with medium confidence to MexicanMafia/PanchoVilla, where it was used alongside Chisel reverse tunnels and compromised Cisco routers with GRE tunnels for layered command-and-control and persistence against government, financial, and critical infrastructure organizations in Latin America, especially Mexico, with additional activity in Ecuador and Portugal. Kaspersky reported APT41 using a Neo-reGeorg tunnel on a compromised IIS server in an intrusion against African government IT services. Ctrl-Alt-Intel and related reporting described MuddyWater using Neo-reGeorg for webshell-based SOCKS pivoting, including deployment of nfud.aspx on a Portuguese government-related Exchange server. During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the Neo-REGEORG web shell on an internet-facing server. Unit 42 also listed Neo-reGeorg among the web shells used by TGR-STA-1030/UNC6619 in global espionage operations, and CrowdStrike reported Murky Panda/Silk Typhoon deploying Neo-reGeorg for persistence.

Observed behaviors and use cases in the content include persistent web access, encrypted tunneling, SOCKS pivoting from external to internal networks, and support for layered C2 architectures. One cited active deployment was https://mail.sef.pt/aspnet_client/system_web/4_0_30319/nfud.aspx, and one recovered tunnel key was 123QWEasd. Cisco Talos also noted a PHP web shell named 401.php based on the publicly available Neo-reGeorg codebase. High-confidence associations in the content include use by APT41, MuddyWater, Sandworm Team, Murky Panda/Silk Typhoon, TGR-STA-1030/UNC6619, and the Operation Escaneo activity cluster.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2025-3928Authenticated webshell upload and execution in Commvault Web ServerExploited in the wild

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).

via the hacker newsthehackernews.com

CVE-2023-3519Unauthenticated RCE in Citrix NetScaler ADC and GatewayExploited in the wild

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).

via the hacker newsthehackernews.com

THREAT ACTORS

Groups observed using it

10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

PanchoVilla

Tooling including proprietary reconnaissance engine Kimera; a "curated exploit armory" targeting popular perimeter devices such as those from Fortinet, Ivanti, and Cisco; portable lateral movement toolkits; and "layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels," researchers said.

via dark readingdarkreading.com

MexicanMafia

via dark readingdarkreading.com

Mexican Mafia

Neo-reGeorg webshells gave encrypted footholds on web servers, Chisel reverse tunnels carried traffic over HTTP and a compromised Cisco router was fitted with a GRE tunnel pointing back to the attackers, a network-level channel invisible to host-based defenses.

via infosecurity magazineinfosecurity-magazine.com

Pancho Villa

via infosecurity magazineinfosecurity-magazine.com

APT41

Based on these names, we were able to determine that this instance utilized a Neo-reGeorg web shell tunnel. This tool is used to proxy traffic from an external network to an internal one via an externally accessible web server.

via securelistsecurelist.com

MuddyWater

MuddyWater was observed leveraging the Chinese-developed tool Neo-reGeorg to perform webshell-based SOCKS pivoting.

via ctrlaltintel blogctrlaltintel.com

+4 more in the app

MITRE ATT&CK

Techniques & procedures

19 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1588.002ToolEvidence1

Open-source tools: Neo-reGeorg, resocks, revsocks, patator

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence3

The attackers relied heavily on internet-facing vulnerabilities to gain entry. Reporting links the campaign to Fortinet FortiOS SSL-VPN and Ivanti Connect Secure flaws, along with other exploits involving Apache Tomcat, Windows, and Log4Shell.

Execution

1 technique

T1059.006PythonEvidence1

Persistence

2 techniques

T1505.003Web ShellEvidence9

T1505.004IIS ComponentsEvidence1

Additionally, a web shell remained on the host, which our solutions detected as HEUR:Backdoor.MSIL.WebShell.gen ... Based on these names, we were able to determine that this instance utilized a Neo-reGeorg web shell tunnel.

Stealth

1 technique

T1027Obfuscated Files or InformationEvidence1

Base64-encoded payloads including chisel.b64 , pwnkit_b64 , neo.jspx.b64 and payload.b64 ; chunked ELF binary delivery; AES-encrypted Neo-reGeorg webshell channel; custom Base64 alphabet.

Discovery

1 technique

T1135Network Share DiscoveryEvidence1

Neo-reGeorg SMB port-445 probing across the 10.8.7.0/24 subnet, targeting seven hosts simultaneously.

Lateral Movement

2 techniques

T1021Remote ServicesEvidence1

According to the timeline of the detection logs, the attackers were able to leverage some of these web shells to execute commands on the affected server and drop more post-exploitation tools utilized for lateral movement.

T1021.004SSHEvidence1

Both actors leveraged ProxyChains, SOCKS5 tunneling, and SSH for initial access, as well as additional tooling such as Chisel, CrackMapExec, Impacket, and Neo-reGeorg.

Command and Control

10 techniques

T1001.001Junk DataEvidence1

AES-encrypted Neo-reGeorg channel key; GZIP-compressed inner payload loaded through reflection with an obfuscated defineClass invocation.

T1071.001Web ProtocolsEvidence5

Neo-reGeorg HTTP POST BLV-encoded C2 channel; reverse shells on ports 80, 443 and 8080 to blend with HTTP and HTTPS traffic; Wget-based callback beacons.

T1090ProxyEvidence7

layered command-and-control infrastructure using Neo-reGeorg webshells, Chisel reverse tunnels, and compromised Cisco routers with persistent GRE tunnels

T1090.001Internal ProxyEvidence1

SOCKS5 pivot through 165.22.184.26:5571 to internal 10.39.x.x systems; Chisel reverse tunnel creating SOCKS proxies on 127.0.0.1:1080–1081; internal relay node at 10.39.1.204.

T1090.002External ProxyEvidence2

CloudSEK’s findings, as summarized by Infosecurity Magazine, describe Neo-reGeorg webshells, Chisel reverse tunnels, and even a compromised Cisco router configured with a GRE tunnel to maintain access. These methods helped the attackers stay connected while blending into normal traffic...

T1090.003Multi-hop ProxyEvidence1

Layered architecture using a public VPS, SOCKS5 relay at 165.22.184.26, internal pivot and target subnet; per-target proxychains.conf routing.

T1090.004Domain FrontingEvidence1

Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...

T1105Ingress Tool TransferEvidence2

The attackers then started dropping various samples on this server, notably a dropper that was pushing more compiled variants carrying the same functionality... The attackers tried to drop additional post-exploitation tools to achieve their main objectives.

T1132.002Non-Standard EncodingEvidence2

Binary Length Value encoding for the Neo-reGeorg command-and-response channel; custom Base64 alphabet in the webshell.

T1572Protocol TunnelingEvidence9

Neo-reGeorg SOCKS5 tunnels via HTTP; Chisel reverse-proxy tunnelling TCP over HTTP using an AMD64 ELF binary; GRE tunnel configured on a compromised Cisco router pointing to the attacker VPS.

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app11 days ago

domain●●●●●●●●●●●●View more in app4 months ago

ip.v4●●●●●●●●●●●●View more in app4 months ago

uri●●●●●●●●●●●●View more in app4 months ago

hash.md5●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

cysecurity newsNews

Jun 20, 2026

Operation Escaneo Signals Shift in Latin America Cyber Threat Landscape - CySecurity News - Latest Information Security and Hacking Incidents

A webshell used to maintain persistence and control within compromised environments, enabling continued attacker access while blending into normal traffic.

infosecurity magazineNews

Jun 18, 2026

LATAM Infrastructure Hit by Fortinet and Ivanti Exploits - Infosecurity Magazine

A webshell used to establish encrypted footholds on compromised web servers for persistent access.

dark readingNews

Jun 18, 2026

Operation Escaneo Signals Shift in LatAm Threat Landscape

A webshell/tunneling tool used as part of layered command-and-control infrastructure in Operation Escaneo to support persistence and covert access.

cloudsekNews

Jun 17, 2026

Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions | CloudSEK

An HTTP-tunneled SOCKS5 webshell framework used for persistence, proxying, internal SMB probing, and command-and-control over AES-encrypted and custom-encoded channels.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution10

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping19

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.