Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 5 actors

Resocks

Resocks is a reverse SOCKS5 proxy utility used to tunnel traffic and turn a compromised host into a relay point for attacker access. The content describes it as a readily accessible proxy tool from GitHub and notes observed samples built with the Go obfuscation utility garble. It has been used by multiple threat actors and clusters as post-compromise infrastructure rather than as a standalone payload.

Reported users include the ransomware group Crypt Ghouls, the espionage-focused Hydra Saiga / Yorotrooper / ShadowSilk / Silent Lynx cluster, and the espionage cluster Curly COMrades. In Crypt Ghouls intrusions targeting Russian businesses and government agencies, resocks was used alongside AnyDesk and Localtonet for remote access and tunneling after initial access via compromised contractor credentials over VPN. One observed sample was configured to connect back to 91.142.73[.]178 in the VDSina network using a specified connection key. Kaspersky also reported overlap between Crypt Ghouls and MorLock through use of the same resocks utility.

In Hydra Saiga activity targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East, resocks was part of a broader hands-on-keyboard post-exploitation toolkit that also included Havoc and Meterpreter. The actor used WMI or PsExec to deploy a reverse SOCKS5 proxy client for lateral movement and remote operations.

In Curly COMrades operations targeting judicial and government entities in Georgia and an energy distribution company in Moldova, Resocks was the most frequently observed proxy tool. The actor used it with SSH and Stunnel to establish multiple entry points into victim networks and to relay remote command execution. Persistence for proxy tooling was maintained via scheduled tasks and Windows services with names chosen to resemble legitimate components. Observed Resocks C2 endpoints in that reporting included 91.107.174[.]190, 96.30.124[.]103, 194.87.31[.]171, 75.127.13[.]136, 94.131.109[.]91, and 207.180.194[.]109, commonly over port 443 and in one case port 8443.

Overall, the content supports high-confidence characterization of Resocks as a reverse SOCKS5 proxy/tunneling tool used for covert remote access, traffic relay, and lateral movement in both ransomware and espionage operations.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Crypt Ghouls

Resocks is a reverse SOCKS5 proxy for tunneling traffic.

via securelistsecurelist.com
MorLock

Resocks is a reverse SOCKS5 proxy for tunneling traffic.

via securelistsecurelist.com
Shedding Zmiy

Resocks is a reverse SOCKS5 proxy for tunneling traffic.

via securelistsecurelist.com
Curly COMrades

Additional tools include the Go-based Resocks proxy...

via sentinelone blogsentinelone.com
Hydra Saiga

These tools were commonly packaged in password-protected RAR archives, and ranged from reverse proxy clients like resocks and tunnelling software like chisel...

via vmray blogvmray.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence1

Open-source tools: Neo-reGeorg, resocks, revsocks, patator

Execution

1 technique
T1047Windows Management InstrumentationEvidence1

"used either Windows Management Instrumentation (WMI) or PsExec to download and execute a reverse socks5 proxy client"

Lateral Movement

1 technique
T1021.006Windows Remote ManagementEvidence1

"used either Windows Management Instrumentation (WMI) or PsExec"

Command and Control

3 techniques
T1090.001Internal ProxyEvidence1

...resocks SOCKS5 proxy for remote access

T1090.002External ProxyEvidence2

Localtonet provides an encrypted tunnel for connecting to that host from an external network... Resocks is a reverse SOCKS5 proxy for tunneling traffic.

T1572Protocol TunnelingEvidence1

"tunnelling software like chisel"; "reverse socks5 proxy client"

INDICATORS OF COMPROMISE

IOCs tracked for this family

13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
10 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
securelistNews
May 21, 2026
Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

Reverse SOCKS5 proxy used for tunneling traffic and remote access, including samples configured to connect back to attacker-controlled infrastructure.

Read more
vmray blogNews
Feb 24, 2026
Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities

An open-source reverse SOCKS5 proxy used for pivoting/tunneling and maintaining operator connectivity during post-exploitation; Hydra Saiga used it for lateral movement and to establish proxy access back to their infrastructure.

Read more
sentinelone blogNews
Aug 15, 2025
The Good, the Bad and the Ugly in Cybersecurity – Week 33

Go-based proxy tool used as a relay/egress mechanism to route attacker traffic through compromised infrastructure.

Read more
security online infoNews
Oct 21, 2024
Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Proxy/SOCKS utility used to route traffic and support covert connectivity during operations.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching13

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.