FRPC
FRPC (Fast Reverse Proxy Client) is a command-line Golang utility derived from the open-source FRP project and used to establish reverse proxy/tunneling connections between a compromised host and an operator-controlled server. In the provided reporting, it is repeatedly described as a modified or compiled version of the open-source FRP/FRPC tool that enables access to systems behind NAT or firewalls, supports reverse proxying over protocols including TCP, UDP, HTTP, and HTTPS, and has been used to tunnel Remote Desktop Protocol (RDP) over TLS or expose SOCKS5 proxy access. Reported capabilities include encryption, compression, token-based authentication, and use as a persistence mechanism.
FRPC is associated in the content with multiple threat actors and intrusion sets. Iranian-aligned activity tracked as TunnelVision and Fox Kitten/Pioneer Kitten/UNC757 used FRPC alongside tools such as Plink, ngrok, Chisel, and Go Proxy after exploiting internet-facing systems. In those cases, FRPC was used to establish connections from command-and-control infrastructure to local/internal servers and to maintain long-term access, including tunneling RDP traffic. The content also notes FRPC use in a U.S. critical infrastructure environment compromised by Volt Typhoon, where a UPX-packed Windows sample (SMSvcService.exe, SHA-256 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1) was identified as a compiled FRPC client configured to connect to an FRP server and expose a SOCKS5 service.
Observed infection or deployment context in the content is post-compromise rather than initial access: actors first exploited known vulnerabilities such as CVE-2018-13379, ProxyShell, Log4Shell, CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902, then deployed FRPC for tunneling, persistence, and operator access. Targeting mentioned in the source material includes U.S. federal agencies, critical infrastructure, and sectors such as information technology, government, healthcare, financial, insurance, and media, as well as organizations in the Middle East and the United States.
High-confidence indicators directly mentioned in the content include SHA-256 2587217bc685527480c803ddf34a56ae9d9bf02681828a8a2081acc775312cf3 for an FRPC sample and SHA-256 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1 for SMSvcService.exe identified as FRPC. Additional directly mentioned operational details include use of port 7557 in one advisory, and an example FRPC configuration with server_addr 192.168.18.111, server_port 8081, remote_port 1080, plugin socks5, tls_enable true, and protocol tcp.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink.
"This packed file contains a compiled version of an open-source tool published on GitHub called \"FRPC\". The \"FRPC\" is a command-line tool written in Golang that is designed to open a reverse proxy between the compromised system and the TA's C2 server."
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
The threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions. During the time we’ve been tracking this actor, we have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and recently Log4Shell.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
"packed using Ultimate Packer for Executables (UPX)"; "UPX compressed"; PE sections include "UPX0/UPX1/UPX2"
The threat actor used FRPC ( frpc.exe ) daily as reverse proxy, tunneling RDP over TLS. The FRPC ( frpc.exe ) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.
Lateral Movement
1 technique
Lateral Movement
Command and Control
9 techniques
Command and Control
"attempts to establish a connection with the Fast Reverse Proxy Server (FRPS)"; "supports encryption, compression, and allows easy token authentication"; "supports ... TCP ... UDP ... HTTP ... HTTPS"; "tls_enable = true"
Due to the threat actor’s heavy reliance on tunneling tools... The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink.
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
Symantec's published indicators point to a wider intrusion kit... FRPC for tunneling traffic out...
The threat actors exploited the ProxyShell and Log4j vulnerabilities to deploy TunnelFish, a custom Fast Reverse Proxy client (FRPC) variant and enable remote access to vulnerable systems.
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
In this example, the threat actor attempted to download ngrok to a compromised VMware Horizon server.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named tool listed in the IoCs, commonly used for proxying or tunneling network traffic to support covert access or exfiltration.
A named tool listed in the IOCs. FRPC commonly refers to the Fast Reverse Proxy client, suggesting possible tunneling or remote connectivity use, though the content does not describe its role in this intrusion.
A tunneling tool widely deployed by TunnelVision, often wrapped in a unique fashion during exploitation campaigns.
Client component/tooling used for reverse proxying to connect C2 to internal/local services.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.