
EarthWorm
Open-source SOCKS5 tunnel tool used by CL-STA-1132 for C2 masking on PAN-OS firewalls.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for EarthWorm
Deployed by CL-STA-1132 for lateral movement and C2 masking
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmedWhat is EarthWorm tunnel tool?
How do attackers use EarthWorm for command and control?
How can organisations detect EarthWorm on their network?
Background
EarthWorm is an open-source, lightweight SOCKS5 tunnelling tool commonly used in penetration testing and red team operations. It enables operators to create encrypted SOCKS5 proxy tunnels through a compromised host, routing traffic between attacker infrastructure and internal network segments that would otherwise be unreachable. EarthWorm operates as a portable single-binary tool, requiring no installation, which reduces its forensic footprint on compromised systems.
Because EarthWorm is a legitimate open-source pen-test tool rather than bespoke malware, it is sometimes categorised as a "living-off-the-land" binary (LoLBin) equivalent in the tunnelling tool class. Defenders face a detection challenge: EarthWorm traffic resembles legitimate SOCKS5 proxy traffic, and its use by attackers may not trigger signature-based detections tuned for known malware. Defenders must rely on behavioural detection — unexpected outbound SOCKS5 connections from systems that do not normally originate them — or on process lineage analysis to identify unexpected parent processes spawning EarthWorm.
In U#3, CL-STA-1132 deployed EarthWorm alongside ReverseSocks5 on compromised PAN-OS firewalls after exploiting CVE-2026-0300 . The combination of two independent SOCKS5 tunnelling tools provided redundant C2 channels, ensuring continued access even if one tunnel was blocked. Log destruction was also confirmed, complicating incident responders' ability to determine entry timing and lateral movement scope.