RSOCX

rsocx is an open-source reverse SOCKS proxy / SOCKS5 proxy tool used to establish reverse connections and tunnel traffic within compromised environments. The provided content describes it being used for covert tunneling, internal pivoting, and remote access, including reverse-connect operation over non-standard port 8008. It has been observed in multiple intrusion contexts rather than as a bespoke malware family. In the 2025 Poland wiper intrusions, adversaries used rsocx (including filenames r.exe and rsocx.exe) to create a reverse SOCKS proxy inside internal infrastructure; ESET reported attempted reverse-connect use to 31.172.71[.]5:8008 prior to DynoWiper deployment. In that incident, rsocx activity was associated with a broader multi-stage intrusion involving credential theft, reconnaissance, and eventual destructive malware deployment, and ESET noted the IP was likely a compromised host associated with progamevl[.]ru and hosted by Fornex Hosting S.L. The content also states PhantomCore stored or staged rsocx samples on compromised legitimate servers and used the utility alongside MeshAgent and other tools. Mandiant observed UNC3944 / Scattered Spider using covert tunneling tools including rsocx, and specifically reported Scattered Spider installing the open-source rsocx reverse proxy tool on a targeted ESXi appliance during activity cluster C0027. Across the cited reporting, rsocx is associated with Sandworm-linked destructive activity in Poland, PhantomCore operations, and Scattered Spider / UNC3944 intrusions, where it supports proxying, tunneling, and access to devices without relying on normal VPN or MFA pathways.