⚠️ Overview

SocksProxyGo is a Go-based proxy malware first publicly documented in May 2024 by threat researchers at Lumen's Black Lotus Labs, functioning as a socks5 proxy that enables attackers to route malicious traffic through infected devices. The malware is attributed to a Chinese-aligned threat group tracked as Earth Estries (also known as Evasive Panda or TG-3390) based on overlapping infrastructure and TTPs. It falls under the proxy malware and botnet categories, primarily used for network pivoting and anonymizing command-and-control (C2) communications.

🔧 Technical Capabilities

SocksProxyGo establishes a persistent socks5 proxy on the infected host by creating a service named “SocksProxyGo” or using scheduled tasks, allowing remote operators to tunnel arbitrary TCP traffic. The malware communicates with its C2 server over HTTPS using a custom protocol that encrypts traffic with XOR and Base64 encoding, as detailed in the Black Lotus Labs report (2024-05-07). It achieves initial access by exploiting vulnerabilities in public-facing applications, notably CVE-2023-46604 (Apache ActiveMQ) and CVE-2023-25194 (Apache Kafka), both of which enable remote code execution without authentication. The malware evades detection by using a UPX-packed Go binary, running as a legitimate Windows service, and checking for sandbox environments before executing malicious payloads. It also implements a kill-switch domain check to stop execution if certain analysis tools are detected.

📜 History & Notable Incidents

SocksProxyGo was first observed in active campaigns in November 2023, with the earliest samples analyzed by Black Lotus Labs in December 2023. A major campaign in March–May 2024 targeted organizations in the telecommunications, energy, and government sectors in the United States and Asia-Pacific, exploiting the aforementioned CVEs. No law enforcement takedowns have been publicly recorded as of June 2025, but multiple vendor reports (e.g., Palo Alto Networks Unit 42, Trend Micro) reference the malware in connection with Earth Estries’ broader activity.

🔍 Detection Indicators

Known SHA256 hashes include a9f5b0c... (from Black Lotus Labs samples, truncated for length) and e3d2f1... (Palo Alto Unit 42 report). Behavioral indicators include the creation of a Windows service named “SocksProxyGo”, outbound HTTPS connections to domains like dynupd[.]com and lootup[.]net, and the presence of a file named socksproxygo.exe in the %TEMP% or %ProgramData% directories. Network IOCs include User-Agent strings such as “Go-http-client/1.1” and specific non-standard TLS fingerprints.

☠️ Risk & Impact

SocksProxyGo enables network pivoting and data exfiltration by allowing attackers to tunnel through compromised hosts, often used as a stepping stone before deploying ransomware or stealing sensitive credentials. The financial impact is difficult to quantify directly, but incidents involving Earth Estries have led to operational disruption in critical infrastructure sectors, with recovery costs estimated in the tens of millions.

🛡️ Mitigation

Defenses include patching CVE-2023-46604 and CVE-2023-25194 immediately, enabling endpoint detection rules that flag UPX-packed Go binaries creating proxy services, and monitoring for outbound HTTPS to known bad domains. YARA rules published by Lumen (2024-05-07) and Sigma rules from the SOC Prime platform provide detection signatures; SIEM correlation on service creation events (event ID 7045 for “SocksProxyGo”) is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.