
ReverseSocks5
Open-source reverse SOCKS5 proxy used alongside EarthWorm for redundant C2 tunnels.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for ReverseSocks5
Deployed by CL-STA-1132 alongside EarthWorm for C2 masking
Cybersecurity: Threats and Defences: CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmedWhat is a reverse SOCKS5 proxy in hacking?
Why do attackers use both EarthWorm and ReverseSocks5 together?
How do you detect SOCKS5 tunnelling malware?
Background
ReverseSocks5 is an open-source reverse SOCKS5 proxy tool used in penetration testing and offensive security operations. Where a standard SOCKS5 tunnel requires the compromised host to initiate an outbound connection to the attacker's server (which may be blocked by egress filtering), a reverse SOCKS5 configuration allows the attacker's server to receive inbound connections initiated by the implant on the victim, then forward attacker traffic back through those connections. This is useful in environments where outbound connections are restricted by firewall rules but inbound-originated tunnels can be established.
Like EarthWorm, ReverseSocks5 is a legitimate red-team tool rather than bespoke malware, which complicates signature-based detection. The tool runs as a portable binary, leaving minimal forensic artefacts on disk if deployed from temporary directories. Detection requires behavioural monitoring for unexpected outbound connection patterns or anomalous binary execution on high-value hosts such as network appliances.
In U#3, CL-STA-1132 deployed ReverseSocks5 alongside EarthWorm on compromised PAN-OS firewalls following exploitation of CVE-2026-0300 . Using two independent tunnelling tools simultaneously provided resilient C2 infrastructure: if defenders blocked one tunnel type or blocked connections to one set of attacker-controlled IPs, the alternate tunnel remained operational. The pair of tools is a recurring combination in Chinese-nexus intrusion sets that prioritise persistence and operational security.