Microsocks
Microsocks is an open-source SOCKS5 proxy tool used to set up proxying, pivoting, and tunneling infrastructure. The content describes it as a public tool obtained from GitHub and repeatedly observed in post-exploitation workflows rather than as a bespoke malware family.
It was observed in multiple intrusion sets and campaigns. Kaspersky reported Head Mare using MicroSocks in late 2025 to early 2026 attacks against Russian government, construction, and industrial organizations, alongside tools such as adduser.exe, Mimikatz, and Advanced Port Scanner, after initial access including exploitation of TrueConf Server vulnerability BDU:2025-10114 and phishing in some cases. Palo Alto Networks Unit 42 reported CL-STA-0969, a nation-state-linked cluster overlapping with Liminal Panda, using Microsocks during 2024 intrusions into telecommunications providers in Southeast Asia and Southwest Asia, alongside FRP, FScan, Responder, and telecom-focused implants such as AuthDoor, GTPDoor, ChronosRAT, NoDepDNS, and EchoBackdoor. In those telecom intrusions, Microsocks was also started from an SGSN emulator to provide SOCKS proxy access across telecom networks.
The tool was also used in proxy-network construction. Ctrl-Alt-Intel identified microsocks on compromised FortiWeb firewalls in December 2025. In 2026, investigators found it deployed to TP-Link consumer routers compromised via CVE-2024-21833, where staging scripts downloaded architecture-specific microsocks binaries for ARM, AARCH64, MIPS, and x86. On those routers, microsocks established a SOCKS5 listener on a random high port, masqueraded as the process name "[kworker/0:1]", and enrolled devices into a residential proxy network. Registration of the proxy to command infrastructure occurred over TCP port 7777 or HTTP port 8889, and persistence on TP-Link devices was achieved through cron entries, /etc/rc.local modification, and NVRAM rc_startup changes. The same router compromises also deployed a custom beacon called ShadowLink.
High-confidence indicators and behaviors directly mentioned in the content include use as a SOCKS5 server/proxy; deployment from public GitHub sources; architecture-specific binaries; execution on compromised FortiWeb firewalls, TP-Link routers, and telecom infrastructure; process masquerading as "[kworker/0:1]" on TP-Link devices; and use in conjunction with broader intrusion toolchains for lateral movement, tunneling, and covert remote access.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In December 2025, Ctrl-Alt-Intel identified an unknown threat actor leveraging the open-source tool microsocks, deployed to compromised FortiWeb firewalls. We have been hunting for abuse of microsocks ever since.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Также в рамках атак мы зафиксировали инструмент MicroSocks — реализацию SOCKS5-прокси, полученную из открытого репозитория на GitHub.
...using a mix of custom and public tools such as Microsocks, FRP, FScan, and Responder...
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe primary payload, tplink_stager.sh, was designed for post-exploitation of CVE-2024-21833, an OS command injection vulnerability affecting TP-Link Archer and Deco series routers.
Execution
2 techniquesPersistence on the TP-Link devices was achieved through three mechanisms: Cron -> /var/spool/cron/crontabs/root or /etc/crontabs (every 5 minutes).
All payloads are POSIX shell scripts; command execution via eval.
Persistence
3 techniquesPersistence on the TP-Link devices was achieved through three mechanisms... RC scripts -> modification of /etc/rc.local.
Persistence on the TP-Link devices was achieved through three mechanisms: Cron -> /var/spool/cron/crontabs/root or /etc/crontabs (every 5 minutes).
Privilege Escalation
2 techniquesPersistence on the TP-Link devices was achieved through three mechanisms... RC scripts -> modification of /etc/rc.local.
Stealth
4 techniquesUsing exec -a '[kworker/0:1]', the proxy binary masquerades as a kernel worker thread while starting a SOCKS5 listener.
tplink_stager.sh self-deletes original and cleans wget/curl temp files.
Persistence on the TP-Link devices was achieved through three mechanisms... NVRAM -> writing to rc_startup via nvram set / nvram commit.
Dot-prefixed filenames on routers (/tmp/.m, /tmp/.s, /tmp/.bp, /tmp/.bid).
Discovery
2 techniquesCommand and Control
3 techniquesT1090.001 Proxy: Internal Proxy PhantomCore использовали механизм проксирования трафика для организации связи между скомпрометированными узлами Rsocx, tsocks, wstunnel, microsocks, localtonet
Также в рамках атак мы зафиксировали инструмент MicroSocks — реализацию SOCKS5-прокси, полученную из открытого репозитория на GitHub.
Downloading microsocks binaries, GOST, FRP, and scanner modules from C2.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source SOCKS5 proxy tool deployed on compromised FortiWeb firewalls and TP-Link routers to enroll devices into a residential proxy network. In the TP-Link campaign it was downloaded by tplink_stager.sh, run under a masqueraded process name, and exposed on a random high port for proxying attacker traffic.
SOCKS5 proxy utility sourced from an open-source GitHub repository and used as part of post-exploitation tooling to organize network access.
A lightweight SOCKS5 proxy often used for tunneling traffic and establishing covert channels.
Open-source SOCKS5 proxy used for pivoting/tunneling within compromised telecom environments (also launched after establishing GTP tunnel via SGSN emulator script).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.