EarthWorm
Open-source SOCKS5 tunnel tool used by CL-STA-1132 for C2 masking on PAN-OS firewalls.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for EarthWorm
Deployed by CL-STA-1132 for lateral movement and C2 masking
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed- What is EarthWorm tunnel tool?
- EarthWorm is an open-source SOCKS5 tunnelling tool used in penetration testing. Attackers use it to route C2 traffic through compromised hosts, masking the real location of command-and-control infrastructure and reaching internal network segments.
- How do attackers use EarthWorm for command and control?
- Attackers deploy EarthWorm as a single portable binary on a compromised host, establishing an encrypted SOCKS5 tunnel back to their infrastructure. All subsequent attacker tooling communicates through this tunnel, hiding C2 traffic among legitimate-looking proxy connections.Source: event
- How can organisations detect EarthWorm on their network?
- Detection relies on behavioural analysis: unexpected outbound SOCKS5 connections from hosts that don't normally proxy traffic, unusual process lineage (e.g. EarthWorm spawned from a web server process), or anomalous binary execution from temp directories on network appliances.
Background
EarthWorm is an open-source, lightweight SOCKS5 tunnelling tool commonly used in penetration testing and red team operations. It enables operators to create encrypted SOCKS5 proxy tunnels through a compromised host, routing traffic between attacker infrastructure and internal network segments that would otherwise be unreachable. EarthWorm operates as a portable single-binary tool, requiring no installation, which reduces its forensic footprint on compromised systems.
Because EarthWorm is a legitimate open-source pen-test tool rather than bespoke malware, it is sometimes categorised as a "living-off-the-land" binary (LoLBin) equivalent in the tunnelling tool class. Defenders face a detection challenge: EarthWorm traffic resembles legitimate SOCKS5 proxy traffic, and its use by attackers may not trigger signature-based detections tuned for known malware. Defenders must rely on behavioural detection — unexpected outbound SOCKS5 connections from systems that do not normally originate them — or on process lineage analysis to identify unexpected parent processes spawning EarthWorm.
In U#3, CL-STA-1132 deployed EarthWorm alongside ReverseSocks5 on compromised PAN-OS firewalls after exploiting CVE-2026-0300 . The combination of two independent SOCKS5 tunnelling tools provided redundant C2 channels, ensuring continued access even if one tunnel was blocked. Log destruction was also confirmed, complicating incident responders' ability to determine entry timing and lateral movement scope.