3proxy
3proxy is a tiny freeware/open-source proxy server and dual-use networking tool that has been observed embedded in or deployed alongside malicious tooling. In the provided reporting, it is described as being embedded in a malicious Windows backdoor linked to LaiXi Android Screen Mirroring, where researchers assessed with high confidence that the embedded 3proxy binary was intended to monitor and intercept network traffic on infected systems. That backdoor installed itself as the Windows service "CatalogWatcher" and used the XOR-obfuscated C2 domain catalog[.]micrisoftdrivers[.]com; Sophos detected the malware family as Mal/Proxcat-A. 3proxy was also reported as a tool used to maintain access in activity associated with the North Korean-aligned Andariel cluster: one sample was compiled on 2020-09-09 and deployed to a victim on 2020-12-25, preceding DTrack and Maui ransomware on the same environment. U.S. government and industry reporting further list 3Proxy among the open-source/dual-use tools used or customized by Andariel/Onyx Sleet/Silent Chollima/Stonefly, including in campaigns targeting defense, aerospace, nuclear, engineering, medical, and energy sectors. Cisco Talos additionally reported Lazarus-linked intrusions against energy providers in which attackers used 3proxy—assessed as osc.exe—to create proxying and reverse-tunneled access into victim networks. High-confidence identifiers from the content include the filenames osc.tmp/osc.exe associated with 3proxy in one intrusion set.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Suspicious 3proxy tool... The “3Proxy” tool... was compiled on 2020-09-09 and deployed to the victim on 2020-12-25... used... to maintain access.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
The suspicious file embeds a tiny freeware proxy server, called 3proxy... We assess that this embedded binary is intended to monitor and intercept network traffic on an infected system.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate freeware proxy server embedded inside the malicious backdoor, assessed to be used for monitoring and intercepting network traffic on infected systems.
Legitimate proxy utility abused to stand up a local SOCKS/HTTP proxy on compromised hosts; used with SSH reverse tunneling (plink) to provide attacker-side access into victim networks.
Legitimate proxy/tunneling tool abused by the actor post-compromise to maintain access and support operations inside victim networks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.