Proxy, Technique T1090 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Proxy
Proxy
Sub-techniques (4)
ID
Name
T1090.001
Internal Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
T1090.004
Domain Fronting
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including
HTRAN
, ZXProxy, and ZXPortMap.
[1]
Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
ID:
T1090
Sub-techniques:
T1090.001
T1090.002
T1090.003
T1090.004
Tactic:
Command and Control
Platforms:
ESXi, Linux, Network Devices, Windows, macOS
Contributors:
Heather Linn; Jon Sheedy; Walker Johnson
Version:
3.2
Created:
31 May 2017
Last Modified:
25 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0096
APT41
APT41
used a tool called CLASSFON to covertly proxy network communications.
[2]
S0456
Aria-body
Aria-body
has the ability to use a reverse SOCKS proxy module.
[3]
S0347
AuditCred
AuditCred
can utilize proxy for communications.
[4]
S0245
BADCALL
BADCALL
functions as a proxy server between the victim and C2 server.
[5]
S1081
BADHATCH
BADHATCH
can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers.
BADHATCH
can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers.
[6]
S0268
Bisonal
Bisonal
has supported use of a proxy server.
[7]
G0108
Blue Mockingbird
Blue Mockingbird
has used
FRP
, ssf, and Venom to establish SOCKS proxy connections.
[8]
C0017
C0017
During
C0017
APT41
used the Cloudflare CDN to proxy C2 traffic.
[9]
C0027
C0027
During
C0027
Scattered Spider
installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.
[10]
S0348
Cardinal RAT
Cardinal RAT
can act as a reverse proxy.
[11]
G1021
Cinnamon Tempest
Cinnamon Tempest
has used a customized version of the Iox port-forwarding and proxy tool.
[12]
G0052
CopyKittens
CopyKittens
has used the AirVPN service for operational activity.
[13]
S0384
Dridex
Dridex
contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.
[14]
[15]
G1006
Earth Lusca
Earth Lusca
adopted Cloudflare as a proxy for compromised servers.
[16]
G0117
Fox Kitten
Fox Kitten
has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.
[17]
[18]
[19]
S1144
FRP
FRP
can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.
[20]
S1044
FunnyDream
FunnyDream
can identify and use configured proxies in a compromised network for C2 communication.
[21]
S1197
GoBear
GoBear
implements SOCKS5 proxy functionality.
[22]
S0690
Green Lambert
Green Lambert
can use proxies for C2 traffic.
[23]
[24]
S0246
HARDRAIN
HARDRAIN
uses the command
cmd.exe /c netsh firewall add portopening TCP 443 "adp"
and makes the victim machine function as a proxy server.
[25]
S0376
HOPLIGHT
HOPLIGHT
has multiple proxy options that mask traffic between the malware and the remote operators.
[26]
S0040
HTRAN
HTRAN
can proxy TCP socket connections to obfuscate command and control infrastructure.
[27]
[28]
S0283
jRAT
jRAT
can serve as a SOCKS proxy server.
[29]
S1190
Kapeka
Kapeka
can identify system proxy settings via
WinHttpGetIEProxyConfigForCurrentUser()
during initialization and utilize these settings for subsequent command and control operations.
[30]
S0487
Kessel
Kessel
can use a proxy during exfiltration if set in the configuration.
[31]
S1051
KEYPLUG
KEYPLUG
has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.
[9]
S0669
KOCTOPUS
KOCTOPUS
has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.
[32]
G1004
LAPSUS$
LAPSUS$
has leverage NordVPN for its egress points when targeting intended victims.
[33]
S1121
LITTLELAMB.WOOLTEA
LITTLELAMB.WOOLTEA
has the ability to function as a SOCKS proxy.
[34]
S1141
LunarWeb
LunarWeb
has the ability to use a HTTP proxy server for C&C communications.
[35]
G0059
Magic Hound
Magic Hound
has used Fast Reverse Proxy (FRP) for RDP traffic.
[36]
G1019
MoustachedBouncer
MoustachedBouncer
has used a reverse proxy tool similar to the GitHub repository revsocks.
[37]
S1189
Neo-reGeorg
Neo-reGeorg
has the ability to establish a SOCKS5 proxy on a compromised web server.
[38]
S0108
netsh
netsh
can be used to set up a proxy tunnel to allow remote host access to an infected host.
[39]
S0198
NETWIRE
NETWIRE
can implement use of proxies to pivot traffic.
[40]
S0508
ngrok
ngrok
can be used to proxy connections to machines located behind NAT or firewalls.
[41]
[42]
C0048
Operation MidnightEclipse
During
Operation MidnightEclipse
, threat actors used the GO Simple Tunnel reverse proxy tool.
[43]
C0013
Operation Sharpshooter
For
Operation Sharpshooter
, the threat actors used the ExpressVPN service to hide their location.
[44]
C0014
Operation Wocao
During
Operation Wocao
, threat actors used a custom proxy tool called "Agent" which has support for multiple hops.
[45]
S0435
PLEAD
PLEAD
has the ability to proxy network communications.
[46]
G1005
POLONIUM
POLONIUM
has used the AirVPN service for operational activity.
[13]
S0378
PoshC2
PoshC2
contains modules that allow for use of proxies in command and control.
[47]
S0262
QuasarRAT
QuasarRAT
can communicate over a reverse proxy using SOCKS5.
[48]
[49]
S0629
RainyDay
RainyDay
can use proxy tools including boost_proxy_client for reverse proxy functionality.
[50]
S1212
RansomHub
RansomHub
can use a proxy to connect to remote SFTP servers.
[51]
C0047
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda
proxied communication through the Cloudflare CDN service during
RedDelta Modified PlugX Infection Chain Operations
[52]
S1187
reGeorg
reGeorg
can establish an HTTP or SOCKS proxy to tunnel data in and out of a network.
[53]
[54]
[55]
S0332
Remcos
Remcos
uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.
[56]
S1210
Sagerunex
Sagerunex
uses several proxy configuration settings to ensure connectivity.
[57]
S1099
Samurai
Samurai
has the ability to proxy connections to specified remote IPs and ports through a a proxy module.
[58]
G0034
Sandworm Team
Sandworm Team
's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.
[59]
S0461
SDBbot
SDBbot
has the ability to use port forwarding to establish a proxy between a target host and C2.
[60]
S0273
Socksbot
Socksbot
can start SOCKS proxy threads.
[61]
S0615
SombRAT
SombRAT
has the ability to use an embedded SOCKS proxy in C2 communications.
[62]
S0436
TSCookie
TSCookie
has the ability to proxy communications with command and control (C2) servers.
[63]
G0010
Turla
Turla
RPC backdoors have included local UPnP RPC proxies.
[64]
S0263
TYPEFRAME
TYPEFRAME
variant can force the compromised system to function as a proxy server.
[65]
S0386
Ursnif
Ursnif
has used a peer-to-peer (P2P) network for C2.
[66]
[67]
S0207
Vasport
Vasport
is capable of tunneling though a proxy.
[68]
G1017
Volt Typhoon
Volt Typhoon
has used compromised devices and customized versions of open source tools such as
FRP
(Fast Reverse Proxy), Earthworm, and
Impacket
to proxy network traffic.
[69]
[70]
[71]
S0670
WarzoneRAT
WarzoneRAT
has the capability to act as a reverse proxy.
[72]
G0124
Windigo
Windigo
has delivered a generic Windows proxy Win32/Glubteta.M.
Windigo
has also used multiple reverse proxy chains as part of their C2 infrastructure.
[73]
S0117
XTunnel
XTunnel
relays traffic between a C2 server and a victim.
[74]
S1114
ZIPLINE
ZIPLINE
can create a proxy server on compromised hosts.
[75]
[76]
S0412
ZxShell
ZxShell
can set up an HTTP or SOCKS proxy.
[2]
[77]
Mitigations
ID
Mitigation
Description
M1037
Filter Network Traffic
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like
Domain Fronting
M1031
Network Intrusion Prevention
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.
[78]
M1020
SSL/TLS Inspection
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.
Detection
ID
Data Source
Data Component
Detects
DS0029
Network Traffic
Network Connection Creation
Monitor for newly constructed network connections that are sent or received by untrusted hosts.
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
References
Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024.
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
Kaspersky Lab's Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017.
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020.
Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
I. Ilascu. (2019, March 3). Op 'Sharpshooter' Connected to North Korea's Lazarus Group. Retrieved September 26, 2022.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
xl7dev. (2016). reGeorg-master. Retrieved December 3, 2024.
FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024.
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
US