ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.^{[Zdnet Ngrok September 2018]}^{[FireEye Maze May 2020]}^{[Cyware Ngrok May 2019]}^{[MalwareBytes LazyScripter Feb 2021]}

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	LazyScripter (12279b62-289e-49ee-97cb-c780edd3d091)	Tidal Groups	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	Daixin Team (07bdadce-905e-4337-898a-13e88cfb5a61)	Tidal Groups	1
Akira Ransomware Actors (0fcb2205-e75b-46c9-ac54-00f218d5e331)	Tidal Groups	ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	Fox Kitten (7094468a-2310-48b5-ad24-e669152bd66d)	Tidal Groups	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	LockBit Ransomware Actors & Affiliates (d0f3353c-fbdd-4bd5-8793-a42e1f319b59)	Tidal Groups	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	BianLian Ransomware Group (a2add2a0-2b54-4623-a380-a9ad91f1f2dd)	Tidal Groups	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	Scattered Spider (3d77fb6c-cfb4-5563-b0be-7aa1ad535337)	Tidal Groups	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	LAPSUS$ (0060bb76-6713-4942-a4c0-d4ae01ec2866)	Tidal Groups	1
ngrok (316ecd9d-ac0b-58c7-8083-5d9214c770f6)	Tidal Software	BlackCat Ransomware Actors & Affiliates (33159d02-a1ce-49ec-a381-60b069db66f7)	Tidal Groups	1