IOX
IOX is a Go-written open-source port-forwarding and intranet proxy/tunneling tool used by threat actors to establish covert communication channels, reverse communication paths, and network pivoting inside compromised environments. Reporting in the provided content describes IOX being used alongside other tunneling utilities such as FRP/FRPS, GOST, Wstunnel, and SoftEther VPN to create SOCKS5 proxies, HTTPS tunnels, and port-forwarding paths to attacker-controlled infrastructure. It has been observed as an alternative proxy tool when other tooling failed, and in some cases as a customized variant.
The content associates IOX use with multiple China-aligned espionage clusters and campaigns. Unit 42 reported CL-STA-0048 using iox as an alternative proxy or port-forwarding tool after using Stowaway during intrusions targeting high-value organizations in South Asia, including a telecommunications entity, following exploitation attempts against IIS, Apache Tomcat/ColdFusion, and MSSQL servers. ESET reported Webworm continuing to use iox in 2025 together with frp and custom proxy tooling while targeting government entities in Belgium, Italy, Serbia, and Poland, as well as a university in South Africa. Trend Micro reported SHADOW-EARTH-053 using IOX Proxy with GOST and Wstunnel after exploiting unpatched Microsoft Exchange and IIS systems via the ProxyLogon chain and deploying ShadowPad in intrusions affecting government, defense-adjacent, transportation, technology, and critical infrastructure organizations across Asia, with at least one victim in Poland. Additional reporting in the content states Cinnamon Tempest used a customized version of the Iox port-forwarding and proxy tool. Unit 42 also listed IOX among tunneling utilities used by TGR-STA-1030/UNC6619 in the Shadow Campaigns, a large espionage operation targeting government and critical infrastructure organizations across 37 countries.
High-confidence behavior directly described in the content is limited to proxying and tunneling: IOX provides port forwarding and intranet proxy capability and is used to tunnel desired network traffic, maintain covert communications, and support attacker access within victim networks. No malware-specific persistence, payload delivery, or standalone indicators of compromise for IOX itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While the group continued to use existing proxy solutions, specifically the Go-written iox (port forwarding and intranet proxy tool) and frp (fast reverse proxy)
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool.
“Network tunneling was achieved using GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.”
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Persistence
2 techniques
Persistence
Defense Impairment
1 technique
Defense Impairment
Lateral Movement
2 techniques
Lateral Movement
Command and Control
6 techniques
Command and Control
The threat sideloaded the malicious DLLs to the legitimate binaries to load Stowaway, a multi-hop proxy tool... After failing to load the malicious DLLs, the threat actor tried to use another tool for the same purpose: iox, a port forward and intranet proxy tool.
Several entries mention use of proxy and tunneling tools including PLINK, Venom proxy, GOST reverse proxy, Ligolo, Cloudflared, rsocx reverse proxy, Iox proxy tool, NPS tunneling tool, and AirVPN.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
The threat actor abused certutil to download the PlugX component from a remote domain... Once the threat actor gained a foothold inside the network, they attempted to upload additional tools.
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An existing Go-written port forwarding and intranet proxy tool used by Webworm as part of its proxy infrastructure.
A tunneling/proxy tool used to establish covert outbound communications, including SOCKS5 proxying and reverse channels, to maintain persistence and operational redundancy.
A proxy tool used to create covert communication channels within the intrusion.
Tunneling/pivoting tool used to route traffic and facilitate lateral movement within victim networks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.