Proxy, Technique T1090 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries utilized the rsocx tool identified as r.exe and rsocx.exe to tunnel within the internal infrastructure using a Reverse SOCKS Proxy.[2][3]
APT41 used a tool called CLASSFON to covertly proxy network communications.[4]
Aria-body has the ability to use a reverse SOCKS proxy module.[5]
AuditCred can utilize proxy for communications.[6]
BADCALL functions as a proxy server between the victim and C2 server.[7]
BADHATCH can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. BADHATCH can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers.[8]
Bisonal has supported use of a proxy server.[9]
Blue Mockingbird has used FRP, ssf, and Venom to establish SOCKS proxy connections.[10]
During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[11]
During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[12]
Cardinal RAT can act as a reverse proxy.[13]
Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool.[14]
Contagious Interview has leveraged Astrill VPN for C2.[15]
CopyKittens has used the AirVPN service for operational activity.[16]
Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.[17][18]
Earth Lusca adopted Cloudflare as a proxy for compromised servers.[19]
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.[20][21][22]
FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.[23]
FunnyDream can identify and use configured proxies in a compromised network for C2 communication.[24]
Gamaredon Group has used the Cloudflare Tunnel client to proxy C2 traffic.[25]
GoBear implements SOCKS5 proxy functionality.[26]
Green Lambert can use proxies for C2 traffic.[27][28]
HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 "adp" and makes the victim machine function as a proxy server.[29]
Havoc has the ability to route HTTP/S communications through designated proxies.[30]
HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.[31]
HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure.[32][33]
jRAT can serve as a SOCKS proxy server.[34]
Kapeka can identify system proxy settings via WinHttpGetIEProxyConfigForCurrentUser() during initialization and utilize these settings for subsequent command and control operations.[35]
Kessel can use a proxy during exfiltration if set in the configuration.[36]
KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.[11]
KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.[37]
LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.[38]
LITTLELAMB.WOOLTEA has the ability to function as a SOCKS proxy.[39]
LunarWeb has the ability to use a HTTP proxy server for C&C communications.[40]
Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.[41]
MirrorFace has used the GO Simple Tunnel (GOST) proxy tool.[42]
MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks.[43]
MuddyWater has used NordVPN to proxy phishing emails, making them appear to originate from France.[44]
Neo-reGeorg has the ability to establish a SOCKS5 proxy on a compromised web server.[45]
netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[46]
NETWIRE can implement use of proxies to pivot traffic.[47]
ngrok can be used to proxy connections to machines located behind NAT or firewalls.[48][49]
During Operation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool.[50]
For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.[51]
During Operation Wocao, threat actors used a custom proxy tool called "Agent" which has support for multiple hops.[52]
PLEAD has the ability to proxy network communications.[53]
POLONIUM has used the AirVPN service for operational activity.[16]
PoshC2 contains modules that allow for use of proxies in command and control.[54]
QuasarRAT can communicate over a reverse proxy using SOCKS5.[55][56]
RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality.[57]
RansomHub can use a proxy to connect to remote SFTP servers.[58]
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.[59]
During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port.[60][61]
reGeorg can establish an HTTP or SOCKS proxy to tunnel data in and out of a network.[62][63][64]
Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[65][66]
Sagerunex uses several proxy configuration settings to ensure connectivity.[67]
During Salesforce Data Exfiltration, threat actors used Mullvad VPN IPs to proxy voice phishing calls.[68]
Samurai has the ability to proxy connections to specified remote IPs and ports through a a proxy module.[69]
Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[70]
Scattered Spider has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs.[71][72]
SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.[73]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors used Fast Reverse Proxy to communicate with C2.[74][75]
Socksbot can start SOCKS proxy threads.[76]
SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.[77]
TSCookie has the ability to proxy communications with command and control (C2) servers.[78]
Turla RPC backdoors have included local UPnP RPC proxies.[79]
A TYPEFRAME variant can force the compromised system to function as a proxy server.[80]
Ursnif has used a peer-to-peer (P2P) network for C2.[81][82]
Vasport is capable of tunneling though a proxy.[83]
Volt Typhoon has used compromised devices and customized versions of open source tools such as FRP (Fast Reverse Proxy), Earthworm, and Impacket to proxy network traffic.[84][85][86]
WarzoneRAT has the capability to act as a reverse proxy.[87]
Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.[88]
XTunnel relays traffic between a C2 server and a victim.[89]
ZIPLINE can create a proxy server on compromised hosts.[90][91]