Earthworm
EarthWorm is a publicly available, open-source network tunneling utility used to create reverse SOCKS tunnels and provide SOCKS5 proxy and port-forwarding capabilities. The content describes it as written in C and supporting Windows, Linux, macOS, and ARM/MIPS platforms. It is used post-compromise to proxy traffic, establish outbound command-and-control channels, expose internal systems to attacker-controlled infrastructure, and support covert communications, persistence, lateral movement, and firewall bypass.
Observed use in the provided content is primarily as a post-exploitation tool rather than an initial access payload. It was deployed after exploitation of Palo Alto Networks PAN-OS CVE-2026-0300 on exposed User-ID Authentication Portal/Captive Portal instances, where attackers used EarthWorm alongside ReverseSocks5 for outbound C2 and tunneling after achieving root-level remote code execution on PA-Series and VM-Series firewalls. In that activity, Unit 42 tracked the cluster as CL-STA-1132, assessed as likely state-sponsored. Reported follow-on behavior included shellcode injection into nginx worker processes, credential extraction from firewalls, Active Directory enumeration using firewall-linked or stolen credentials, anti-forensic log cleanup, and repeated exploitation during HA failover scenarios. One EarthWorm sample hash provided in the content is SHA256 e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584, and one reported download URL is hxxp[:]//146.70.100[.]69:8000/php_sess.
The content also associates EarthWorm with multiple China-linked or suspected China-linked threat actors and clusters. It has been used by Volt Typhoon, including with FRP and Impacket to proxy network traffic and support operations against critical infrastructure. It is also described as used by BackdoorDiplomacy for network tunneling with SOCKS5 and port-transfer functionality; by CL-STA-0046/Gelsemium in a Southeast Asian government intrusion, where EarthWorm was used as replacement tunneling tooling after OwlProxy execution was blocked and connected to C2 infrastructure at 27.124.26[.]86; and by UAT-8837 in intrusions targeting North American critical infrastructure and Sitecore environments, where it created reverse tunnels to attacker-controlled servers over SOCKS and supported persistent access, internal endpoint exposure, and firewall bypass. Additional content notes prior association with APT41 and UAT-8337.
Across the reporting, EarthWorm is consistently characterized as a dual-use tunneling/proxy tool favored in low-noise espionage operations because it is publicly available and reduces the need for custom malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A critical zero-day vulnerability (CVE-2025-53690) is being actively exploited in Sitecore. This flaw, originating from old, insecure keys, allows hackers to achieve Remote Code Execution (RCE) via ViewState deserialization attacks. | This included EARTHWORM for creating secret tunnels, DWAGENT for remote access, and SHARPHOUND for mapping the network.
CVE-2026-0300 is an unauthenticated buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS. The vendor advisory states that exploitation yields arbitrary code execution with root privileges on PA-Series and VM-Series firewalls... exploitation has been observed since April 9, 2026, with successful remote code execution achieved by April 16, 2026. | Observed post-exploitation activity includes shellcode injection into the nginx worker process on the firewall, Active Directory enumeration using credentials extracted from the firewall, anti-forensic log cleanup, and deployment of network tunneling tools (EarthWorm, ReverseSocks5) for outbound command and control.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.
After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.
After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.
They repeated CVE-2026-0300 exploitation on that device, achieved RCE again, and downloaded the EarthWorm and ReverseSocks5 network tunneling tools, likely to establish persistent tunneling and proxy capabilities for continued access.
EarthWorm, to create a reverse tunnel to attacker-controlled servers using SOCKS
BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 techniqueDuring the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Command and Control
7 techniquesThen they deployed EarthWorm and ReverseSocks5 tunnels for outbound C2
“Earthworm: A network tunneling tool used to ‘expose internal endpoints to attacker-owned remote infrastructure’.”
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
Then they deployed EarthWorm and ReverseSocks5 tunnels for outbound C2
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
Post-exploitation activities conducted by the adversary included conducting Active Directory (AD) enumeration and dropping additional payloads like EarthWorm and ReverseSocks5 against a second device on April 29, 2026.
Command & Control Proxy (T1090) / Protocol Tunneling (T1572) Развёртывание EarthWorm и ReverseSocks5 для SOCKS5-туннелирования
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Инструмент для SOCKS5-туннелирования и проксирования трафика, используемый после эксплуатации для C2 и пивотирования во внутреннюю сеть.
A network tunneling tool used post-exploitation to pivot through compromised PAN-OS firewalls, reduce forensic footprint, and support covert command-and-control and internal movement.
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms. It acts as a SOCKS5 proxy and port-forwarding utility, enabling covert communication channels, bypassing network restrictions, and lateral movement within compromised environments.
Network tunneling tool used post-compromise for outbound command and control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.