1. Home
  2. Techniques
  3. Enterprise
  4. Proxy
  5. Multi-hop Proxy

Proxy: Multi-hop Proxy

ID Name
T1090.001 Internal Proxy
T1090.002 External Proxy
T1090.003 Multi-hop Proxy
T1090.004 Domain Fronting

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

For example, adversaries may construct or use onion routing networks – such as the publicly available Tor network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.[1] Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations.[2]

In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., Network Devices). By leveraging Patch System Image on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the Network Boundary Bridging method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.

Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.[3]

ID: T1090.003
Sub-technique of:  T1090
Tactic: Command and Control
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Contributors: Eduardo Chavarro Ovalle
Version: 2.4
Created: 14 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[4]
G0016 APT29

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.[5][6]
S0438 Attor

Attor has used Tor for C2 communication.[7]
S1184 BOLDMOVE

BOLDMOVE is capable of relaying traffic from command and control servers to follow-on systems.[8]
C0004 CostaRicto

During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.[9]

S0687 Cyclops Blink

Cyclops Blink has used Tor nodes for C2 traffic.[10]
S0281 Dok

Dok downloads and installs Tor via homebrew.[11]
S0384 Dridex

Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[12]
G1003 Ember Bear

Ember Bear has configured multi-hop proxies via ProxyChains within victim environments.[13]
G0085 FIN4

FIN4 has used Tor to log in to victims' email accounts.[14]
C0053 FLORAHOX Activity

FLORAHOX Activity has routed traffic through a customized Tor relay network layer.[2]
S1144 FRP

The FRP client can be configured to connect to the server through a proxy.[15]
G0047 Gamaredon Group

Gamaredon Group has used Tor for C2 traffic.[16]

S0342 GreyEnergy

GreyEnergy has used Tor relays for Command and Control servers.[17]
G0100 Inception

Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.[18]
S0604 Industroyer

Industroyer used Tor nodes for C2.[19]
S0276 Keydnap

Keydnap uses a copy of tor2web proxy for HTTPS communications.[20]
S0641 Kobalos

Kobalos can chain together multiple compromised machines as proxies to reach their final targets.[21][22]
G0065 Leviathan

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[23]
G0030 Lotus Blossom

Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.[24]
S0282 MacSpy

MacSpy uses Tor for command and control.[11]
G1051 Medusa Group

Medusa Group has used TOR nodes for communications.[25][26][27]
S1106 NGLite

NGLite has abused NKN infrastructure for its C2 communication.[3]
S1100 Ninja

Ninja has the ability to use a proxy chain with up to 255 hops when using TCP.[28]
S1107 NKAbuse

NKAbuse has abused the NKN public blockchain protocol for its C2 communications.[29][30]
C0014 Operation Wocao

During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.[31]
C0055 Quad7 Activity

Quad7 Activity has routed traffic through chains of compromised network devices for password spray attacks.[32]
C0056 RedPenguin

During RedPenguin, UNC3886 used infrastructure associated with operational relay box (ORB) networks.[33]
C0059 Salesforce Data Exfiltration

During Salesforce Data Exfiltration, threat actors used Tor IPs for voice calls and for the collection of stolen data.[34]
S0623 Siloscape

Siloscape uses Tor to communicate with C2.[35]
C0052 SPACEHOP Activity

SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.[2]
S0491 StrongPity

StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[36]
S0183 Tor

Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[37]
S0022 Uroburos

Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.[38]
S0386 Ursnif

Ursnif has used Tor for C2.[39][40]
G1017 Volt Typhoon

Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.[41]
S0366 WannaCry

WannaCry uses Tor for command and control traffic.[42]
G0128 ZIRCONIUM

ZIRCONIUM has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to proxy traffic.[2]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0359 Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling AN1020

Suspicious processes (e.g., Tor clients, relays, unknown binaries) launch with sustained encrypted outbound traffic to known anonymity infrastructure (e.g., Tor, I2P), and may relay to additional internal systems via reverse proxying, ICMP tunneling, or socket forwarding.
AN1021

Tools such as tor, nglite, proxychains, chisel, or custom daemons repeatedly initiate outbound sessions to multiple nodes before final destination. This behavior is abnormal for Linux services outside of VPN, monitoring, or CDN relay contexts.
AN1022

LaunchAgents or LaunchDaemons initiate persistent Tor or relay processes that make encrypted outbound connections. May be paired with sandbox bypasses or unsigned executables communicating over SOCKS proxies.
AN1023

Outbound encrypted traffic initiated from hypervisor shell or via VM backdoor mechanisms to relays in VPS infrastructure, especially if traversing multiple nodes before reaching Internet destination. Packet captures or firewall logs show non-VM communication paths.
AN1024

Encrypted traffic or ICMP tunneling from border routers to internal routers or unknown external IPs. Forwarded traffic shows consistent hop-to-hop relaying without matching configured VPN or expected network topology.

References

  1. Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.
  2. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
  3. Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.
  4. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  5. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  6. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  7. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  8. Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024.
  9. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  10. NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
  11. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  12. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  13. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  14. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  15. fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
  16. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025.
  17. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  18. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  19. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  20. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  21. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  1. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  2. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  3. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  4. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025.
  5. Check Point. (2025, April 16). The 2025 Ransomware Surge: Context for Medusa’s Rise. Retrieved October 15, 2025.
  6. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
  7. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  8. Bill Toulas. (2023, December 14). New NKAbuse malware abuses NKN blockchain for stealthy comms. Retrieved February 8, 2024.
  9. KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
  10. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  11. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
  12. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.
  13. Google Threat Intelligence Group. (2025, June 4). The Cost of a Call: From Voice Phishing to Data Extortion. Retrieved October 22, 2025.
  14. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  15. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  16. Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
  17. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  18. NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
  19. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  20. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  21. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.