ReverseSocks5
ReverseSocks5 is an open-source reverse SOCKS5 proxy and proxy tunneling utility, written in Go, used to establish outbound SOCKS5 proxy tunnels from compromised systems to attacker-controlled infrastructure for command and control, persistence, and continued access. The content describes it as a publicly available networking/tunneling tool rather than bespoke malware. It was observed in post-exploitation activity following exploitation of Palo Alto Networks PAN-OS CVE-2026-0300, where suspected state-linked activity tracked by Unit 42 as CL-STA-1132 deployed ReverseSocks5 alongside EarthWorm on compromised PA-Series and VM-Series firewalls. In that activity, attackers achieved root-level access, injected shellcode into nginx worker processes, extracted credentials from the firewall, enumerated Active Directory, deleted logs and crash artifacts, and used ReverseSocks5 for outbound command and control and proxy tunneling; reporting also states the attackers downloaded ReverseSocks5 onto a secondary firewall after forcing HA failover via a SAML flood. The content also links ReverseSocks5 to the China-aligned espionage group LongNosedGoblin, which reportedly used NosyDownloader to deploy ReverseSocks5, NosyLogger, and an argument runner in campaigns targeting government entities in Southeast Asia and Japan. Separately, BI.ZONE reporting says the actor tracked as Cavalry Werewolf executed ReverseSocks5 and ReverseSocks5Agent on compromised hosts during phishing-led intrusions targeting the Russian public sector and related industries. A specific download IOC mentioned in the content is hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-0300 is an unauthenticated buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS. The vendor advisory states that exploitation yields arbitrary code execution with root privileges on PA-Series and VM-Series firewalls... exploitation has been observed since April 9, 2026, with successful remote code execution achieved by April 16, 2026. | Observed post-exploitation activity includes shellcode injection into the nginx worker process on the firewall, Active Directory enumeration using credentials extracted from the firewall, anti-forensic log cleanup, and deployment of network tunneling tools (EarthWorm, ReverseSocks5) for outbound command and control.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Also executed on the compromised hosts are tools like ReverseSocks5Agent and ReverseSocks5, as well as commands to gather device information.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
5 techniquesThen they deployed EarthWorm and ReverseSocks5 tunnels for outbound C2
Observed post-exploitation activity includes... deployment of network tunneling tools (EarthWorm, ReverseSocks5) for outbound command and control.
Then they deployed EarthWorm and ReverseSocks5 tunnels for outbound C2
Post-exploitation activities conducted by the adversary included conducting Active Directory (AD) enumeration and dropping additional payloads like EarthWorm and ReverseSocks5 against a second device on April 29, 2026.
Command & Control Proxy (T1090) / Protocol Tunneling (T1572) Развёртывание EarthWorm и ReverseSocks5 для SOCKS5-туннелирования
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Инструмент для обратного SOCKS5-туннелирования, применяемый для командно-контрольных каналов и латерального перемещения после компрометации PAN-OS-устройства.
A proxy tunneling utility deployed after exploitation of PAN-OS to maintain covert access, relay traffic, and enable internal pivoting through compromised firewall infrastructure.
ReverseSocks5 is an open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers. It establishes a SOCKS5 proxy tunnel that allows remote access into internal networks and is abused for stealthy pivoting and post-compromise operations.
SOCKS5-based reverse tunneling tool used post-compromise for outbound command and control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.