Proxy Through Victim

Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.[1]

The most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the Proxy API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.

ID: T1604
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
Version: 1.1
Created: 30 November 2020
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0522 Exobot

Exobot can open a SOCKS proxy connection through the compromised device.[1]

S1067 FluBot

FluBot can use a SOCKS proxy to evade C2 IP detection.[2]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Flow

Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.