FRP
FRP (Fast Reverse Proxy) is a legitimate open-source reverse proxy and tunneling utility used to expose local services behind NAT or firewalls to the internet and to create reverse proxy tunnels for persistent remote access. The content indicates it supports TCP, UDP, KCP, QUIC, and TCP stream multiplexing; can be configured to only accept TLS connections; supports JSON configuration files; and its client can connect to the server through a proxy. In intrusion activity, FRP is commonly deployed post-compromise to bypass firewalls and network controls, proxy internal services such as RDP, C2 traffic, and raw TCP shells, and maintain persistence. Reported use includes tunneling RDP traffic, establishing encrypted tunnels, and in one case FRP v0.65.0 was compiled as a Go DLL and loaded in memory via manual PE mapping.
The content associates FRP with multiple threat actors and clusters. COBALT MIRAGE preferred FRPC for remote access, with Cluster B favoring the unmodified tool and Cluster A using a modified variant called TunnelFish. Iranian actors including APT35 and activity described in a DHS/CISA report used FRP to tunnel RDP and maintain persistent access after exploiting Pulse Secure VPN, Citrix NetScaler, and F5 vulnerabilities. Volt Typhoon used a custom FRP client with hardcoded C2 callbacks. CL-UNK-1068, assessed by Unit 42 as a Chinese-speaking or Chinese threat actor targeting aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors across South, Southeast, and East Asia, used modified or custom-compiled FRP builds on Windows and Linux to maintain C2 access and bypass network controls. Webworm, a China-aligned APT, continued using frp alongside iox and custom proxy tools in 2025. Other reporting cited use by Magic Hound, Fox Kitten, Iron Tiger-related activity, and TeamPCP/PCPcat cloud-focused intrusion activity.
Observed deployment contexts include Linux and Windows hosts, including custom-compiled FRP for both platforms. The content also describes modified FRP clients, binaries masquerading as legitimate files such as dllhost.exe, and FRP embedded or wrapped inside other tooling. Specific examples include a Windows FRP binary identified as svchost.exe with an FRP configuration file masquerading as dllhost.dll that specified server_port 443, TLS enabled, and local RDP tunneling on port 3389; a custom FRP client with hardcoded callbacks to ports 8080, 8443, 8043, 8000, and 10443 in Volt Typhoon activity; and CL-UNK-1068 custom FRP samples using identifiers such as the token frpforzhangwei, proxy names like 10014-win-nic-32-v and 20012-linux-64-V, and a shared password reported as f*ckroot123. Additional reported filenames associated with FRP-related activity include cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.
High-confidence indicators and infrastructure directly mentioned in the content include FRP client version 0.37.1 in one intrusion; FRP v0.65.0 in the CTRL toolkit; CTRL-related FRP configuration at C:\ProgramData\frp\frpc.toml with serverAddr hui228.ru, serverPort 7000, auth token ADAD, and proxy definitions for RDP and a TCP shell; FRP relay infrastructure on 194.33.61.36 and 109.107.168.18; an FRP server dashboard on port 7500 protected by HTTP Basic Authentication; TeamPCP use of FRP for persistent remote access; PCPcat installation of FRP reverse tunneling tools; and SideWalk use of FRP as a plugin with a customized configuration connecting to 47.253.83.86 over port 443. Overall, the content consistently characterizes FRP as a dual-use proxy/tunneling tool frequently repurposed by threat actors for stealthy persistence, remote access, lateral enablement, and firewall evasion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild, and in several malware campaigns such as the emerald and nuts campaigns. ... CVE-2025-55182, which is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC) used in React.js, Next.js, and related frameworks.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
COBALT MIRAGE's preferred form of remote access uses the Fast Reverse Proxy (FRPC) tool. While COBALT MIRAGE Cluster A uses a modified version of this tool known as TunnelFish, Cluster B favors the unaltered version.
We found the FRP tool being used on a Linux host, which is similar to Avast’s findings in a report that they published on the Iron Tiger threat actor. The FRP tool that we analyzed was a modified version, which was possibly copied off of Github.
While the group continued to use existing proxy solutions, specifically the Go-written iox (port forwarding and intranet proxy tool) and frp (fast reverse proxy)
FRP (Fast Reverse Proxy) is used to create reverse proxy tunnels, providing persistent remote access to compromised systems...
...using a mix of custom and public tools such as Microsocks, FRP, FScan, and Responder...
FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
The FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher... installs itself into crontab... The FRP client is restarted by cron every minute if the process dies.
The FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher: # On first execution, installs itself into crontab (crontab -l ; echo " * * * * * bash $SCRIPT_PATH " ) | crontab -
Trend™ Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild... a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC)... An attacker can send malicious data that executes arbitrary code on your servers before any authentication occurs.
Persistence
3 techniques
Persistence
The FRP client is deployed with a self-installing persistence mechanism via the start.sh launcher... installs itself into crontab... The FRP client is restarted by cron every minute if the process dies.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
"packed using Ultimate Packer for Executables (UPX)"; "UPX compressed"; PE sections include "UPX0/UPX1/UPX2"
Discovery
1 technique
Discovery
Lateral Movement
3 techniques
Lateral Movement
“port 888 handles reverse tunnel connections… sets up… FRP reverse tunneling tools… allow attackers to maintain access even after the initial vulnerability is patched.”
Remote desktop access : Automated patching of termsrv.dll and installation of RDP Wrapper to enable unlimited concurrent RDP sessions...
Connect to the FRP server Send the Proxy command including the robot SN to the FRP server that then routes the connection to that robot's local port 22 SSH and login as root... With PermitRootLogin yes, anyone with a serial number has persistent root shell access to that robot from anywhere on the internet.
Command and Control
11 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
The tool used is FRP (Fast Reverse Proxy), an open-source Chinese-developed NAT traversal utility... configured to expose the robot's local SSH service to the internet.
"an open source Fast Reverse Proxy Client (FRPC) tool used to open a reverse proxy between the compromised system and a Volt Typhoon C2 server"; "designed to open a reverse proxy between the compromised system and the TA's C2 server"; "[plugin_socks5] ... plugin = socks5 ... remote_port = 1080"
The FRP client can be configured to connect to the server through a proxy. The server component of SystemBC has used SOCKS5 for C2 communication. Keydnap uses a copy of tor2web proxy for HTTPS communications.
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
Downloading microsocks binaries, GOST, FRP, and scanner modules from C2.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A fast reverse proxy utility used by Webworm and also serving as the inspiration/base for the custom WormFrp tool.
FRP is used by the toolkit as an embedded reverse proxy component to create tunnels for RDP and a raw TCP shell back to the operator-controlled server. In this case it is wrapped in a .NET loader, decrypted with AES-256-CBC, and loaded in memory via manual PE mapping.
Reverse proxy utility used to provide persistent remote access/tunneling into victim environments.
Reverse proxy/tunneling utility used to establish covert connectivity (including C2-style access) and bypass network controls; observed here in modified builds.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.