T1090: Proxy

T1090 falls under the Command and Control tactic (TA0011). Proxying is fundamentally about interposing systems between the adversary's C2 infrastructure and the victim, creating indirection that defeats network monitoring, threat intelligence correlation, and geographic attribution. Unlike other C2 techniques that focus on the protocol or encoding of traffic, T1090 focuses on the routing path the traffic takes — how many hops it traverses, what devices it passes through, and how many layers of obfuscation separate the adversary's true infrastructure from the defender's visibility.

The technique spans every platform — Windows, Linux, macOS, ESXi, and network devices. Network devices are particularly important for T1090 because compromised routers, firewalls, and VPN appliances serve as ideal proxy points: they sit at network boundaries, handle traffic routing as their primary function, and their traffic patterns are inherently diverse and voluminous, making it trivial for adversarial proxy traffic to blend in.

The Four Sub-Techniques

T1090.001 — Internal Proxy

Adversaries use a compromised internal system as a proxy to relay C2 traffic within the victim's network. This reduces the number of outbound connections to external infrastructure (limiting exposure) and allows adversaries to route traffic through trusted internal communication paths. Tools like HTRAN, ZXProxy, and netsh portproxy enable traffic redirection through internal systems. Volt Typhoon has been observed using netsh portproxy on compromised systems to create port forwarding rules that relay traffic internally. APT28 (Fancy Bear) used compromised organizations' Wi-Fi networks as internal proxies in their "Nearest Neighbor Attack" documented by Volexity in November 2024, weaponizing nearby Wi-Fi networks for covert access to their actual targets. APT39 (Chafer) has used internal proxies to consolidate C2 traffic from multiple compromised systems within targeted networks in the Middle East.

T1090.002 — External Proxy

Adversaries use external systems — compromised third-party infrastructure, purchased VPS servers, or cloud resources — as intermediaries between the victim and the C2 server. The victim's system communicates with the proxy, and the proxy forwards traffic to the actual C2 server. This hides the true C2 destination from network monitoring. APT28 has used compromised servers and purchased infrastructure for external proxy operations. QakBot uses compromised systems as external proxies in its tiered C2 architecture. Storm-0940 (a Chinese threat actor) uses credentials from password spray attacks to compromise systems and deploy them as external proxies, as documented by Microsoft in October 2024. APT10 (menuPass) routes traffic through compromised managed service providers, making espionage activity appear as legitimate network traffic from trusted business partners.

T1090.003 — Multi-hop Proxy

Adversaries chain multiple proxies together to create layers of indirection, making it nearly impossible to trace traffic back to its origin. The most prominent implementations are Tor (the onion routing network), ORB networks, and custom multi-hop proxy chains. The Attor espionage platform uses Tor for its encrypted C2 communications. APT29 (NOBELIUM) has been documented using Tor and multi-hop proxy chains in its operations. The CRASHOVERRIDE malware, used in attacks on Ukrainian power infrastructure, used multi-hop proxies to hide its operators' location.

The emergence of Chinese-operated ORB networks in 2024 has transformed this sub-technique. ORB networks like SPACEHOP (tracked by Mandiant as ORB3) consist of globally distributed nodes — compromised SOHO routers, IoT devices, and leased VPS infrastructure — that create mesh networks serving multiple APT groups simultaneously. Unlike traditional botnets that serve a single operator, ORB networks are operated as shared infrastructure by third-party contractors who rent access to various Chinese espionage groups. This shared-use model further complicates attribution because multiple threat actors generate traffic through the same proxy nodes.

T1090.004 — Domain Fronting

Adversaries exploit CDN routing to make C2 traffic appear to be going to a legitimate, trusted domain. The technique uses different domain names in the TLS Server Name Indication (SNI) field and the HTTP Host header. If both domains are hosted on the same CDN, the CDN routes traffic to the address specified in the HTTP Host header after unwrapping the TLS layer — meaning the traffic appears to go to a trusted domain but is actually delivered to the adversary's infrastructure. A "domainless" variant uses a blank SNI field to bypass CDN validation that checks for SNI/Host header matches. APT29 has used domain fronting through CDN services to conceal its C2 traffic. Meek, a Tor pluggable transport, uses domain fronting to disguise Tor traffic as connections to cloud services.

How Proxy Infrastructure Works

SOHO router botnets. The most impactful development in proxy infrastructure has been the weaponization of end-of-life SOHO routers as proxy nodes. The KV-Botnet, documented by Lumen's Black Lotus Labs and linked to Volt Typhoon, compromised hundreds of Cisco RV320/325, Netgear ProSAFE, DrayTek Vigor routers, and Axis IP cameras. The malware ran entirely in memory, deleting all traces from disk, making forensic analysis extremely difficult. The compromised devices were chained together to form a covert data transfer network, with SOHO devices acting as both relay nodes and operational relay boxes. Because these routers are located in homes and small businesses across the United States, traffic originating from them appears as legitimate residential internet activity — not as foreign espionage traffic.

ORB network architecture. Mandiant classifies ORB networks into two types: provisioned networks (made up of commercially leased VPS infrastructure) and non-provisioned networks (built from compromised IoT devices, SOHO routers, and end-user systems). ORB administrators rely on autonomous system number (ASN) providers across different countries to reduce dependence on any single nation's internet infrastructure. The ORB3 (SPACEHOP) network, used by multiple China-nexus threat actors, has globally distributed exit nodes across the US, Europe, and the Middle East. This architecture makes traditional IOC-based detection fundamentally insufficient because the proxy nodes cycle constantly, infrastructure is shared across multiple APT groups, and the traffic originates from IP addresses that appear to be legitimate residential or business connections.

Port forwarding and netsh portproxy. On compromised Windows systems, adversaries use the built-in netsh interface portproxy command to create port forwarding rules that relay traffic between internal and external systems. Volt Typhoon has been specifically documented using this technique. The CISA/NSA Volt Typhoon advisory lists netsh portproxy show v4tov4 as one of the discovery commands the group uses to check existing port proxy configurations, and netsh interface portproxy show all as a standard part of their post-compromise reconnaissance.

Tor and onion routing. Tor provides free, globally available multi-hop proxy infrastructure with strong encryption and anonymity guarantees. The Attor espionage platform routes all C2 communications through Tor, making traffic tracing nearly impossible. However, Tor usage itself is detectable (connections to known Tor entry guards, distinctive TLS patterns), so sophisticated adversaries often combine Tor with additional obfuscation layers or use Tor pluggable transports like obfs4 or meek that disguise Tor traffic as other protocols.

Why Proxy Abuse Matters

IOC-based defense is failing. Mandiant's ORB research demonstrates that traditional threat intelligence — blocking known-bad IP addresses and domains — is increasingly ineffective against proxy-based C2. When adversaries cycle through compromised SOHO routers and leased VPS infrastructure on a weekly or daily basis, individual IOCs become stale before they can be operationalized. Mandiant recommends that defenders track ORB networks as evolving entities, similar to how APT groups are tracked, rather than treating proxy infrastructure as static indicators.

Attribution becomes impossible at the network level. When C2 traffic passes through a compromised residential router in suburban Virginia, the traffic's geographic origin provides no intelligence about the actual adversary. Multi-hop proxy chains and ORB networks sever the connection between the traffic's apparent source and the adversary's true location, making network-level attribution meaningless.

Trust boundaries are exploited. Internal proxies exploit the fact that security monitoring is typically focused on north-south traffic (traffic crossing the network perimeter) rather than east-west traffic (traffic between internal systems). By proxying C2 through compromised internal systems, adversaries hide their external C2 connections behind legitimate-looking internal traffic. APT28's Nearest Neighbor Attack exploited the trust boundary between adjacent organizations' Wi-Fi networks, demonstrating that even physical proximity can be weaponized for proxy access.

Scale is increasing. The KV-Botnet compromised over 3,000 devices in a single restructuring operation in December 2023. SecurityScorecard reported that the botnet compromised 30% of all Cisco RV320/325 routers worldwide over a 37-day period. Volt Typhoon rebuilt its botnet infrastructure within months of the FBI's January 2024 takedown, establishing a new cluster routing traffic through a compromised VPN device in New Caledonia. The scale and resilience of these proxy networks indicates sustained state-level investment in proxy infrastructure.

Real-World Case Studies

Volt Typhoon / KV-Botnet — SOHO Router Proxy Network for US Critical Infrastructure Espionage

The KV-Botnet, documented by Lumen's Black Lotus Labs in December 2023, represents the most extensively analyzed proxy infrastructure linked to a nation-state threat actor. Volt Typhoon (Bronze Silhouette), a Chinese state-sponsored group assessed to be pre-positioning within US critical infrastructure, compromised hundreds of end-of-life SOHO routers — primarily Cisco RV320/325, Netgear ProSAFE, and DrayTek Vigor devices — and chained them into a covert data transfer network. The malware operated entirely in memory, deleted traces from disk, and used random port assignments for C2 communication.

The FBI disrupted the KV-Botnet in January 2024 through a court-authorized operation that sent remote commands to infected routers deleting the malware. However, Volt Typhoon rebuilt its infrastructure by September 2024, establishing a new botnet cluster routing traffic through a compromised VPN device in New Caledonia, a French territory in the South Pacific. The group's ability to reconstitute its proxy infrastructure within months of a major law enforcement takedown demonstrates the resilience of state-sponsored proxy operations. FBI Director Christopher Wray characterized Volt Typhoon as "the defining threat of our generation," and the group's proxy infrastructure is central to its operational model of blending espionage traffic with legitimate residential internet activity.

Chinese ORB Networks — Industrialized Proxy Infrastructure (2024)

Mandiant's May 2024 research revealed that Chinese cyber espionage groups have industrialized their proxy operations through ORB networks operated by third-party contractors. Unlike traditional C2 infrastructure controlled by a single threat actor, ORB networks are shared services — multiple Chinese APT groups rent access to the same proxy infrastructure. The ORB3 (SPACEHOP) network, for example, serves several China-nexus groups and has exit nodes distributed globally across the US, Europe, and the Middle East. ORB administrators manage the network of compromised nodes (SOHO routers, IoT devices, VPS servers) and contract access to APT groups who use the infrastructure for their own distinct espionage operations. This shared-use model means that tracking a single adversary's infrastructure no longer yields useful attribution, because the same IP addresses may be used by multiple unrelated threat actors on different days.

APT28 / Nearest Neighbor Attack — Wi-Fi Proximity as Internal Proxy (2024)

In November 2024, Volexity published research documenting an APT28 (Fancy Bear) campaign that weaponized adjacent Wi-Fi networks for covert access. Rather than attacking their target's network directly from the internet, APT28 first compromised a neighboring organization's network, then used that compromised network's Wi-Fi access to reach their actual target. The neighboring organization's network served as an internal proxy — traffic from APT28's implant appeared to originate from a trusted, physically adjacent network rather than from external infrastructure. This innovative use of T1090.001 demonstrates that proxy techniques are evolving beyond traditional network-layer proxying to exploit physical and organizational trust relationships.

Storm-0940 — Compromised Systems as External Proxy via Password Spray (2024)

Microsoft documented Storm-0940, a Chinese threat actor, using credentials harvested from password spray attacks to compromise systems and deploy them as external proxies. The group uses a network of compromised devices (tracked by Microsoft as CovertNetwork-1658) to conduct password spraying at scale, then uses the successfully compromised systems as proxy infrastructure for follow-on espionage operations. This creates a self-reinforcing cycle: compromised systems provide both the credentials for further compromise and the proxy infrastructure to conduct operations through. The covert network infrastructure cycles rapidly, making traditional IOC-based blocking ineffective.

Volt Typhoon — netsh portproxy for Internal Traffic Relay

Beyond its SOHO router botnet, Volt Typhoon uses Windows' built-in netsh interface portproxy command on compromised systems within target networks to create port forwarding rules. These rules relay traffic between internal systems and external C2 infrastructure, allowing the group to consolidate its connections and route traffic through hosts that have legitimate reasons to communicate externally. The CISA/NSA advisory specifically highlights netsh portproxy as a key Volt Typhoon technique, and recommends that defenders review firewall configurations for unauthorized port proxy rules. Because netsh is a legitimate Windows utility, its use for port proxying blends with normal administrative activity.

Detection Strategies

Detecting proxy abuse requires moving beyond IOC-based approaches to behavioral and network analysis. When the proxy infrastructure cycles constantly and the traffic mimics legitimate patterns, defenders must focus on anomalous traffic flows, unexpected internal routing patterns, and indicators of proxy tool usage.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Network Traffic (Flow)	Internal proxy patterns	Flag systems that receive inbound connections from internal hosts and make corresponding outbound connections to external destinations — a pattern consistent with internal proxy relay. Look for systems acting as "bridges" between internal and external networks
Sysmon Event ID 1	netsh portproxy commands	Alert on any execution of netsh interface portproxy add or netsh portproxy show. Port proxy configuration changes should be rare in normal operations and are a strong indicator of adversarial internal proxy setup
Network Traffic (Flow)	Connections to residential/SOHO IP ranges	Monitor for outbound connections from enterprise systems to IP addresses in residential ASNs or SOHO device ranges (especially Cisco, Netgear, DrayTek address space) that exhibit regular beaconing patterns
Firewall / Proxy Logs	Tor entry/exit node connections	Cross-reference outbound connections against Tor exit node lists (publicly maintained). Flag any connections to known Tor infrastructure from systems that should not be using anonymization tools
TLS Metadata	Domain fronting indicators	Compare the SNI field in TLS handshakes against the actual destination IP's hosted domains. Mismatches between the SNI domain and the Host header (where visible) indicate domain fronting. Flag connections where the SNI is blank or does not match the resolved IP
Internal Network Traffic	Unusual east-west traffic patterns	Baseline normal internal communication patterns and alert on anomalies: systems connecting to other internal systems they have never previously communicated with, especially if those connections are followed by outbound internet traffic from the destination system
Endpoint / EDR	Proxy tool execution	Flag execution of known proxy tools: htran.exe, chisel, ngrok, frp (Fast Reverse Proxy), earthworm, ssf, reGeorg, or plink.exe with port forwarding arguments

Splunk Detection Queries

Query 1: netsh portproxy Configuration Changes

Detects Volt Typhoon's signature technique: using netsh to create port forwarding rules for internal traffic relay.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
process_name=netsh.exe
(CommandLine="*portproxy*" OR CommandLine="*interface portproxy*")
| table _time host user CommandLine parent_process_name
| sort -_time

Query 2: Internal Systems Acting as Traffic Relays

Identifies internal hosts that receive inbound connections and then make outbound connections to external IPs, potentially acting as internal proxies.

index=firewall
| where (src_zone="internal" AND dest_zone="external")
| stats dc(dest_ip) as external_dests sum(bytes_out) as total_bytes
  values(dest_ip) as dest_ips by src_ip
| where external_dests > 10 AND total_bytes > 52428800
| lookup internal_servers_lookup ip as src_ip OUTPUT role
| where isnull(role) OR role!="web_proxy"
| sort -total_bytes

Query 3: Connections to Known Tor Infrastructure

Detects outbound connections to Tor entry guards or known Tor relay nodes, indicating potential multi-hop proxy usage.

index=firewall OR index=proxy
| lookup tor_exit_nodes_lookup dest_ip as dest_ip OUTPUT is_tor
| where is_tor="true"
| stats count first(_time) as first_seen last(_time) as last_seen by src_ip dest_ip dest_port
| sort -count
| table src_ip dest_ip dest_port count first_seen last_seen

Query 4: Proxy Tool Execution Detection

Detects execution of common proxy and tunneling tools used by adversaries for traffic relay.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name IN (htran.exe, chisel.exe, ngrok.exe, frpc.exe, frps.exe,
  earthworm.exe, ew.exe, ssf.exe, plink.exe)
  OR (process_name=plink.exe AND CommandLine="*-R *")
  OR (process_name=ssh.exe AND CommandLine="*-D *" AND CommandLine="*-L *")
  OR OriginalFileName IN (htran.exe, chisel, ngrok, frpc, earthworm))
| table _time host user process_name CommandLine parent_process_name process_path
| sort -_time

Known Threat Actors

State-Sponsored Groups

Actor	Attribution	T1090 Usage
Volt Typhoon	China (PRC)	KV-Botnet SOHO router proxy infrastructure; netsh portproxy for internal relay; rebuilt botnet after FBI takedown (2024-2025)
Chinese ORB Networks (ORB3/SPACEHOP)	China (contractors)	Shared proxy infrastructure serving multiple APT groups; globally distributed exit nodes across US, Europe, and Middle East
Storm-0940	China	CovertNetwork-1658: compromised systems used as external proxies deployed through password spray campaigns (Microsoft, October 2024)
APT28 (Fancy Bear)	Russia (GRU)	Nearest Neighbor Wi-Fi proxy attack; external proxy through compromised servers; Tor for multi-hop C2
APT29 (Cozy Bear)	Russia (SVR)	Domain fronting through CDN services; multi-hop proxy chains; Tor pluggable transports for C2 obfuscation
APT10 (menuPass)	China	Proxy traffic through compromised managed service providers to mimic legitimate partner network traffic
APT39 (Chafer)	Iran	Internal proxies consolidating C2 from compromised systems in Middle Eastern targets
APT41	China	Multiple proxy techniques including external proxy infrastructure and multi-hop chains in dual espionage/crime operations
Lazarus Group	North Korea	HOPLIGHT, FALLCHILL, and Dacls RATs with built-in proxy capabilities for multi-hop C2

Tools and Infrastructure

Tool / Infrastructure	T1090 Usage
KV-Botnet	SOHO router botnet (Cisco, Netgear, DrayTek, Axis cameras) used by Volt Typhoon; 3,000+ compromised devices
HTRAN (HUC Packet Transmitter)	Chinese-origin port relay tool enabling connection proxying between attacker and target through compromised intermediate host
Tor / Meek	Onion routing for multi-hop anonymization; Meek pluggable transport for domain fronting Tor traffic through CDNs
Chisel	Go-based HTTP tunneling tool used for TCP port forwarding through firewalls
ngrok	Commercial tunneling service abused for C2 proxy; creates encrypted tunnels through NAT and firewalls
Fast Reverse Proxy (frp)	Open-source reverse proxy used by Chinese groups (including Volt Typhoon variants) and others for NAT traversal and C2 tunneling
EarthWorm	SOCKS5 proxy tool used by Volt Typhoon and other Chinese groups for internal network tunneling
Cobalt Strike	External C2 redirectors configured to proxy Beacon traffic through intermediate servers; malleable profiles for domain fronting
Impacket	Network protocol tools with SOCKS proxy capabilities for tunneling traffic through compromised systems

Defensive Recommendations

1. Monitor for netsh portproxy usage

Create high-priority alerts for any execution of netsh interface portproxy add on any system. Port proxy configuration changes are rare in normal operations and represent a strong indicator of adversarial proxy setup. Periodically audit all systems for existing portproxy rules using netsh interface portproxy show all and investigate any rules that cannot be attributed to legitimate administrative activity. This is the most direct defense against Volt Typhoon's internal proxy technique.

2. Retire end-of-life SOHO network devices

The KV-Botnet specifically targeted end-of-life routers that no longer receive security patches. Ensure that all SOHO devices deployed in your environment (including remote worker home routers if managed) are running current firmware and are still within vendor support lifecycles. Replace EOL devices, and consider deploying SASE solutions that route remote worker traffic through monitored infrastructure rather than relying on home router security.

3. Implement east-west traffic monitoring

Internal proxy detection requires visibility into traffic between internal systems. Deploy network detection tools on internal network segments that can identify anomalous communication patterns: systems communicating with other internal systems they have never previously contacted, systems acting as relay points (receiving connections and immediately making corresponding outbound connections), and internal traffic that exhibits C2-like timing patterns.

4. Block connections to known proxy and anonymization services

Block outbound connections to known Tor entry guards and relay nodes (maintained in public blocklists), known ngrok endpoints, and other commercial tunneling services unless explicitly required for business. While sophisticated adversaries use custom proxy infrastructure, blocking known anonymization services eliminates lower-sophistication proxy usage and forces adversaries to invest more resources in custom infrastructure.

5. Deploy TLS inspection and monitor for domain fronting

Domain fronting exploits the gap between the SNI field (visible to network monitors) and the HTTP Host header (invisible without TLS inspection). Deploy TLS inspection that compares the SNI domain against the actual resolved IP address and the destination's hosted domains. Flag connections where the SNI field is blank, where the SNI does not match the expected domain for the destination IP, or where CDN-hosted domains appear in unexpected traffic patterns.

6. Track ORB networks as entities, not IOCs

Following Mandiant's recommendation, shift from treating proxy infrastructure as static IOCs to tracking ORB networks as evolving entities. Monitor for behavioral patterns: connections to residential ASNs from enterprise systems, traffic to IP addresses within SOHO device manufacturer ranges that exhibits C2 timing patterns, and connections to VPS infrastructure in unusual geographic locations. Build detection rules around these behavioral indicators rather than specific IP addresses.

7. Restrict outbound connectivity from servers

Servers (domain controllers, database servers, internal application servers) should have strictly limited outbound internet access. Any direct outbound connection from a server to an external IP address should require explicit firewall rules and should be logged and monitored. This prevents compromised servers from being used as external proxy relay points and forces adversaries to route their C2 through workstations that have legitimate internet access — where monitoring is typically stronger.

8. Detect and block proxy tool execution

Deploy application control rules that block execution of known proxy tools (HTRAN, Chisel, EarthWorm, Fast Reverse Proxy, plink with port forwarding flags) on all systems. Monitor for new executables that establish listening sockets and subsequently make outbound connections, a behavioral pattern consistent with proxy tool operation regardless of the specific tool name or binary.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1090
Technique Name	Proxy
Tactics	Command and Control (TA0011)
Platforms	Windows, Linux, macOS, ESXi, Network Devices
Sub-Techniques	T1090.001 Internal Proxy, T1090.002 External Proxy, T1090.003 Multi-hop Proxy, T1090.004 Domain Fronting
Data Sources	Network Traffic (Flow, Content, Connection Creation), Process (Creation, Network Connection)
Mitigations	Network Intrusion Prevention (M1031), Filter Network Traffic (M1037), SSL/TLS Inspection (M1020)
Version	3.2 (last modified October 2025)
MITRE Reference	attack.mitre.org/techniques/T1090

Sources and References

• MITRE ATT&CK — T1090 Proxy: attack.mitre.org
• Mandiant — IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (May 2024): cloud.google.com
• Lumen Black Lotus Labs — Routers Roasting on an Open Firewall: The KV-Botnet Investigation: blog.lumen.com
• Lumen Black Lotus Labs — KV-Botnet: Don't Call It A Comeback (February 2024): blog.lumen.com
• CISA/NSA — Volt Typhoon: PRC State-Sponsored Cyber Actor Living Off the Land: cisa.gov
• Volexity — The Nearest Neighbor Attack: How a Russian APT Weaponized Nearby Wi-Fi Networks (November 2024): volexity.com
• Microsoft — Storm-0940 Uses Credentials from Password Spray Attacks from a Covert Network (October 2024): microsoft.com
• Red Canary — Top MITRE ATT&CK Techniques: Connection Proxy: redcanary.com
• US DOJ — US Government Disrupts Botnet PRC Used to Conceal Hacking of Critical Infrastructure (January 2024): justice.gov