Proxy: External Proxy, Sub-technique T1090.002 - Enterprise | MITRE ATT&CK®

Proxy: External Proxy, Sub-technique T1090.002 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Proxy
External Proxy
Proxy:
External Proxy
Other sub-techniques of Proxy (4)
ID
Name
T1090.001
Internal Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1090.004
Domain Fronting
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including
HTRAN
, ZXProxy, and ZXPortMap.
[1]
Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.
ID:
T1090.002
Sub-technique of:
T1090
Tactic:
Command and Control
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Version:
1.2
Created:
14 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0007
APT28
APT28
used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.
APT28
has also used a machine to relay and obscure communications between
CHOPSTICK
and their server.
[2]
[3]
[4]
G0016
APT29
APT29
uses compromised residential endpoints as proxies for defense evasion and network access.
[5]
G0022
APT3
An
APT3
downloader establishes SOCKS5 connections for its initial C2.
[6]
G0087
APT39
APT39
has used various tools to proxy C2 communications.
[7]
G0053
FIN5
FIN5
maintains access to victim environments by using
FLIPSIDE
to create a proxy for a backup RDP tunnel.
[8]
G0093
GALLIUM
GALLIUM
used a modified version of
HTRAN
to redirect connections between networks.
[9]
S0260
InvisiMole
InvisiMole
InvisiMole can identify proxy servers used by the victim and use them for C2 communication.
[10]
[11]
G0032
Lazarus Group
Lazarus Group
has used multiple proxies to obfuscate network traffic from victims.
[12]
[13]
G0045
menuPass
menuPass
has used a global service provider's IP as a proxy for C2 traffic from a victim.
[14]
[15]
G0069
MuddyWater
MuddyWater
has controlled
POWERSTATS
from behind a proxy network to obfuscate the C2 location.
[16]
MuddyWater
has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).
[17]
[18]
S0699
Mythic
Mythic
can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.
[19]
S0439
Okrum
Okrum
can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.
[20]
S0223
POWERSTATS
POWERSTATS
has connected to C2 servers through proxies.
[21]
S0650
QakBot
QakBot
has a module that can proxy C2 communications.
[22]
S1084
QUIETEXIT
QUIETEXIT
can proxy traffic via SOCKS.
[23]
S0019
Regin
Regin
leveraged several compromised universities as proxies to obscure its origin.
[24]
S0444
ShimRat
ShimRat
can use pre-configured HTTP proxies.
[25]
G0091
Silence
Silence
has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.
[26]
G0131
Tonto Team
Tonto Team
has routed their traffic through an external server in order to obfuscate their location.
[27]
S0266
TrickBot
TrickBot
has been known to reach a command and control server via one of nine proxy IP addresses.
[28]
[29]
S0141
Winnti for Windows
The
Winnti for Windows
HTTP/S C2 mode can make use of an external proxy.
[30]
Mitigations
ID
Mitigation
Description
M1031
Network Intrusion Prevention
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.
[31]
Detection
ID
Data Source
Data Component
Detects
DS0029
Network Traffic
Network Connection Creation
Monitor for newly constructed network connections that are sent or received by untrusted hosts.
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
References
Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.
Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.