We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
HackTool:JS/ReGeorg
Aliases: No associated aliases
Summary
HackTool:JS/ReGeorg is a JavaScript classified as hacking tool with a legitimate use in penetration testing. Just like any pentest tool, it can be weaponized by using it for authorized creation of covert HTTP tunnels for command and control (C2) communication. Threat actors with the use of ReGeorg can bypass proxies and firewalls. The tool also behaves like a webshell proxy, allowing transmission of malicious traffic through ports that are commonly found on TCP ports 80 and 443 making it very difficult to detect. It also is effective with exploiting vulnerabilities under CVE-2021-26084 and CVE-2025-0282.
This tool is often found in the hands of advanced persistent threat (APT) groups or by state-sponsored actors, which include the group Sandworm, to maintain persistence in compromised networks, exfiltration of data, or for secondary payload delivery. Malware infection happens with drive-by download from a malicious site, phishing campaigns, or as a payload from a different malware.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
