ChainWorm
ChainWorm is a custom proxy tool used by the China-aligned Webworm intrusion set, also tracked as Space Pirates and UAT-8302. ESET reported Webworm expanded its proxy tooling in 2025 with WormFrp, ChainWorm, SmuxProxy, and WormSocket, and assessed that the breadth and complexity of these tools suggest the group may be building a larger covert proxy network from compromised systems. ChainWorm’s stated main function is to assist in expanding Webworm’s proxy infrastructure by opening a port on the compromised machine where it is deployed. The malware is associated with the sample svc.exe, SHA-1 7DCFE9EE25841DFD58D3D6871BF867FE32141DFB, which ESET detects as MSIL/HackTool.Proxy.H. Additional analysis notes a .NET MSIL proxy sample tied to this cluster contained a PDB path with the username "hello," suggesting shared developer artifacts with other Webworm tooling. Detection context also references a SOCKS5-related byte sequence used to identify ChainWorm, with logic to distinguish it from WormFrp. High-confidence targeting context comes from Webworm reporting rather than ChainWorm-specific deployment records: in 2025 Webworm targeted government organizations in Belgium, Italy, Poland, Serbia, and Spain, and activity also involved a university in South Africa.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ChainWorm (MEDIUM-HIGH) -- promoted from scaffold; matches on the SOCKS5-error byte sequence 05 01 00 01 00 00 00 00 00 00 , with a guard against WormFrp.
The group expanded its use of proxy tools. Existing proxy capabilities were supplemented with custom tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket.
The group expanded its use of proxy tools. Existing proxy capabilities were supplemented with custom tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
4 techniquesWormFrp proxy tool. ... ChainWorm proxy tool. ... WormSocket proxy tool. ... SmuxProxy, a custom iox with hardcoded IP.
ChainWorm and WormSocket can create internal proxies.
WormFrp, ChainWorm, WormSocket, SmuxProxy, and GraphWorm have the capability to connect to external proxies.
WormSocket and ChainWorm create multiple proxy hops.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom proxy chaining tool that opens a listening port and forwards traffic through multiple hops to expand Webworm’s hidden proxy infrastructure.
A custom proxy tool used by Webworm as part of expanded proxy capabilities and likely hidden network infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.