Proxy: Multi-hop Proxy, Sub-technique T1090.003 - Enterprise | MITRE ATT&CK®

Proxy: Multi-hop Proxy, Sub-technique T1090.003 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Proxy
Multi-hop Proxy
Proxy:
Multi-hop Proxy
Other sub-techniques of Proxy (4)
ID
Name
T1090.001
Internal Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1090.004
Domain Fronting
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available
Tor
network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.
[1]
Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations.
[2]
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e.,
Network Devices
). By leveraging
Patch System Image
on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the
Network Boundary Bridging
method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.
[3]
ID:
T1090.003
Sub-technique of:
T1090
Tactic:
Command and Control
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Contributors:
Eduardo Chavarro Ovalle
Version:
2.3
Created:
14 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0007
APT28
APT28
has routed traffic over
Tor
and VPN servers to obfuscate their activities.
[4]
G0016
APT29
A backdoor used by
APT29
created a
Tor
hidden service to forward traffic from the
Tor
client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.
[5]
[6]
S0438
Attor
Attor
has used
Tor
for C2 communication.
[7]
S1184
BOLDMOVE
BOLDMOVE
is capable of relaying traffic from command and control servers to follow-on systems.
[8]
C0004
CostaRicto
During
CostaRicto
, the threat actors used a layer of proxies to manage C2 communications.
[9]
S0687
Cyclops Blink
Cyclops Blink
has used
Tor
nodes for C2 traffic.
[10]
S0281
Dok
Dok
downloads and installs
Tor
via homebrew.
[11]
S0384
Dridex
Dridex
can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.
[12]
G1003
Ember Bear
Ember Bear
has configured multi-hop proxies via ProxyChains within victim environments.
[13]
G0085
FIN4
FIN4
has used
Tor
to log in to victims' email accounts.
[14]
C0053
FLORAHOX Activity
FLORAHOX Activity
has routed traffic through a customized
Tor
relay network layer.
[2]
S1144
FRP
The
FRP
client can be configured to connect to the server through a proxy.
[15]
S0342
GreyEnergy
GreyEnergy
has used
Tor
relays for Command and Control servers.
[16]
G0100
Inception
Inception
used chains of compromised routers to proxy C2 communications between them and cloud service providers.
[17]
S0604
Industroyer
Industroyer
used
Tor
nodes for C2.
[18]
S0276
Keydnap
Keydnap
uses a copy of tor2web proxy for HTTPS communications.
[19]
S0641
Kobalos
Kobalos
can chain together multiple compromised machines as proxies to reach their final targets.
[20]
[21]
G0065
Leviathan
Leviathan
has used multi-hop proxies to disguise the source of their malicious traffic.
[22]
G0030
Lotus Blossom
Lotus Blossom
has used tools such as the publicly available HTran tool for proxying traffic in victim environments.
[23]
S0282
MacSpy
MacSpy
uses
Tor
for command and control.
[11]
S1106
NGLite
NGLite
has abused NKN infrastructure for its C2 communication.
[3]
S1100
Ninja
Ninja
has the ability to use a proxy chain with up to 255 hops when using TCP.
[24]
S1107
NKAbuse
NKAbuse
has abused the NKN public blockchain protocol for its C2 communications.
[25]
[26]
C0014
Operation Wocao
During
Operation Wocao
, threat actors executed commands through the installed web shell via
Tor
exit nodes.
[27]
S0623
Siloscape
Siloscape
uses
Tor
to communicate with C2.
[28]
C0052
SPACEHOP Activity
SPACEHOP Activity
has routed traffic through chains of compromised network devices to proxy C2 communications.
[2]
S0491
StrongPity
StrongPity
can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.
[29]
S0183
Tor
Traffic traversing the
Tor
network will be forwarded to multiple nodes before exiting the
Tor
network and continuing on to its intended destination.
[30]
S0022
Uroburos
Uroburos
can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.
[31]
S0386
Ursnif
Ursnif
has used
Tor
for C2.
[32]
[33]
G1017
Volt Typhoon
Volt Typhoon
has used multi-hop proxies for command-and-control infrastructure.
[34]
S0366
WannaCry
WannaCry
uses
Tor
for command and control traffic.
[35]
G0128
ZIRCONIUM
ZIRCONIUM
has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to proxy traffic.
[2]
Mitigations
ID
Mitigation
Description
M1037
Filter Network Traffic
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like
Domain Fronting
Detection
ID
Data Source
Data Component
Detects
DS0029
Network Traffic
Network Connection Creation
Monitor for newly constructed network connections that are sent or received by untrusted hosts.
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
References
Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.
Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.
Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024.
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Bill Toulas. (2023, December 14). New NKAbuse malware abuses NKN blockchain for stealthy comms. Retrieved February 8, 2024.
KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.