Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

gost

GOST is a proxy and tunneling tool observed in multiple intrusion sets as attacker infrastructure rather than as a standalone malware family. In the provided reporting, it was used to establish SOCKS5 proxies, HTTPS tunnels, reverse communication channels, and persistent tunnels that exposed internal services and maintained reliable external access from compromised environments. It was deployed alongside other tunneling utilities including FRP/frps, IOX Proxy, Wstunnel, and tunnel-core.exe variants.

The content links GOST to several threat contexts. Trend Micro reported its use in the China-aligned cyberespionage cluster SHADOW-EARTH-053 after exploitation of legacy Microsoft Exchange and IIS systems, including ProxyLogon vulnerabilities, where operators used GOST as part of post-compromise covert communications and operational redundancy. Elastic Security Labs documented TeamPCP using gost and frps inside compromised container and Kubernetes environments to proxy traffic and maintain persistent tunnels during multi-stage cloud-native intrusions. Separate reporting on the PCPcat campaign states that compromised Next.js servers downloaded scripts that installed GOST SOCKS5 proxy software and FRP reverse tunneling tools, with persistence implemented through auto-restarting systemd services including names such as pcpcat-gost.service.

Observed behaviors in the content include installation of GOST on compromised servers, use for SOCKS5 proxying, use inside containerized workloads, and long-lived deployment as attacker infrastructure. VulnCheck’s infrastructure analysis noted that GOST proxies often remained online for extended periods, with a reported median duration of 48 days and some instances persisting through a full 90-day observation window, indicating its role as durable operational infrastructure for threat actors. High-confidence indicators directly mentioned in the content include execution or installation references to GOST, persistent service naming such as pcpcat-gost.service, and association with attacker infrastructure at 67.217.57.240 in the PCPcat reporting where proxy and tunneling tooling was downloaded.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Shadow-Earth-053

Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.

via polyswarmblog.polyswarm.io
TeamPCP

Tunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments

via handlers diary fullisc.sans.edu
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1

Multiple groups “obtained and used” publicly available/open-source tools (e.g., APT28 used Koadic/Mimikatz/Responder; APT29 used Mimikatz/SDelete/Tor/meek/Cobalt Strike; many others acquired tools such as PsExec, Impacket, Metasploit, etc.).

Initial Access

2 techniques
T1133External Remote ServicesEvidence1

Tunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments

T1190Exploit Public-Facing ApplicationEvidence1

The primary payload, tplink_stager.sh, was designed for post-exploitation of CVE-2024-21833, an OS command injection vulnerability affecting TP-Link Archer and Deco series routers.

Persistence

3 techniques
T1133External Remote ServicesEvidence1

Tunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments

T1543.002Systemd ServiceEvidence1

Persistence was achieved via six systemd services... TeamPCP proxy.sh creates six systemd services with Restart=always.

T1543.003Windows ServiceEvidence1

They made Localtonet persistent with the help of Non-Sucking Service Manager (NSSM)... If the -p flag is specified... a service for the Gost tool will be installed... If -t key is passed... it installs and configures cloudflared in the system.

Privilege Escalation

2 techniques
T1543.002Systemd ServiceEvidence1

Persistence was achieved via six systemd services... TeamPCP proxy.sh creates six systemd services with Restart=always.

T1543.003Windows ServiceEvidence1

They made Localtonet persistent with the help of Non-Sucking Service Manager (NSSM)... If the -p flag is specified... a service for the Gost tool will be installed... If -t key is passed... it installs and configures cloudflared in the system.

Command and Control

7 techniques
T1071Application Layer ProtocolEvidence3

Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host... Cloudflared tunnels traffic through the Cloudflare network.

T1090ProxyEvidence13

Tunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments.

T1090.002External ProxyEvidence2

Several entries mention use of proxy and tunneling tools including PLINK, Venom proxy, GOST reverse proxy, Ligolo, Cloudflared, rsocx reverse proxy, Iox proxy tool, NPS tunneling tool, and AirVPN.

T1090.003Multi-hop ProxyEvidence1

Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.

T1105Ingress Tool TransferEvidence5

After exploiting the business automation platform server, attackers downloaded and installed the PhantomJitter backdoor... The backdoor was downloaded into the victims’ infrastructure from the following URLs...

T1571Non-Standard PortEvidence1

ShadowLink on port 7443; TeamPCP staging on 666, FRP on 888.

T1572Protocol TunnelingEvidence5

TeamPCP FRP reverse tunnel from victim SOCKS5 to C2:890.

INDICATORS OF COMPROMISE

IOCs tracked for this family

13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
13 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
polyswarmNews
May 15, 2026
SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments

A tunneling/proxy framework used for covert communications and persistence inside victim networks.

Read more
handlers diary fullNews
Apr 3, 2026
TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments

Used by TeamPCP to establish persistent tunnels and proxy traffic through compromised container environments.

Read more
elastic security labsNews
Mar 1, 2026
Linux & Cloud Detection Engineering - TeamPCP Container Attack Scenario - Elastic Security Labs

Tunneling/proxy tool used to establish connectivity, relay traffic, and maintain external access from compromised containers.

Read more
cyber security newsNews
Dec 24, 2025
Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours

A SOCKS5 proxy tool used to enable remote access and pivoting from compromised servers.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching13

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.