Go Proxy
Go Proxy is an open-source reverse proxy tool. In the provided content, it is associated with Fox Kitten, which used open-source reverse proxy tools including FRPC and Go Proxy to establish connections from command-and-control infrastructure to local servers. The described behavior indicates use for reverse proxying and pivoting access into internal or local systems from C2. No additional high-confidence details on specific infection vectors, targeted industries, platforms, or indicators of compromise are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
3 techniquesFox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source reverse proxy tooling used to connect C2 infrastructure to internal/local servers.
Open-source reverse proxy tool used to connect C2 infrastructure to internal/local servers.
Reverse proxy tooling used to bridge C2 to internal/local servers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.