gost
GOST is a proxy and tunneling tool observed in multiple intrusion sets as attacker infrastructure rather than as a standalone malware family. In the provided reporting, it was used to establish SOCKS5 proxies, HTTPS tunnels, reverse communication channels, and persistent tunnels that exposed internal services and maintained reliable external access from compromised environments. It was deployed alongside other tunneling utilities including FRP/frps, IOX Proxy, Wstunnel, and tunnel-core.exe variants.
The content links GOST to several threat contexts. Trend Micro reported its use in the China-aligned cyberespionage cluster SHADOW-EARTH-053 after exploitation of legacy Microsoft Exchange and IIS systems, including ProxyLogon vulnerabilities, where operators used GOST as part of post-compromise covert communications and operational redundancy. Elastic Security Labs documented TeamPCP using gost and frps inside compromised container and Kubernetes environments to proxy traffic and maintain persistent tunnels during multi-stage cloud-native intrusions. Separate reporting on the PCPcat campaign states that compromised Next.js servers downloaded scripts that installed GOST SOCKS5 proxy software and FRP reverse tunneling tools, with persistence implemented through auto-restarting systemd services including names such as pcpcat-gost.service.
Observed behaviors in the content include installation of GOST on compromised servers, use for SOCKS5 proxying, use inside containerized workloads, and long-lived deployment as attacker infrastructure. VulnCheck’s infrastructure analysis noted that GOST proxies often remained online for extended periods, with a reported median duration of 48 days and some instances persisting through a full 90-day observation window, indicating its role as durable operational infrastructure for threat actors. High-confidence indicators directly mentioned in the content include execution or installation references to GOST, persistent service naming such as pcpcat-gost.service, and association with attacker infrastructure at 67.217.57.240 in the PCPcat reporting where proxy and tunneling tooling was downloaded.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Tunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueMultiple groups “obtained and used” publicly available/open-source tools (e.g., APT28 used Koadic/Mimikatz/Responder; APT29 used Mimikatz/SDelete/Tor/meek/Cobalt Strike; many others acquired tools such as PsExec, Impacket, Metasploit, etc.).
Initial Access
2 techniquesTunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments
The primary payload, tplink_stager.sh, was designed for post-exploitation of CVE-2024-21833, an OS command injection vulnerability affecting TP-Link Archer and Deco series routers.
Persistence
2 techniquesTunneling tools: TeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments
Privilege Escalation
1 techniqueCommand and Control
7 techniquesTeamPCP uses frps (fast reverse proxy) and gost for establishing persistent tunnels and proxying through compromised container environments
Access entirety of Workstation A's private LAN (Sock4/4a/5 proxy) $ gs-netcat -l -S # Workstation A (EXIT) $ gs-netcat -p 1080 # Workstation B
Several entries mention use of proxy and tunneling tools including PLINK, Venom proxy, GOST reverse proxy, Ligolo, Cloudflared, rsocx reverse proxy, Iox proxy tool, NPS tunneling tool, and AirVPN.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Downloading microsocks binaries, GOST, FRP, and scanner modules from C2.
ShadowLink on port 7443; TeamPCP staging on 666, FRP on 888.
TeamPCP FRP reverse tunnel from victim SOCKS5 to C2:890.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A tunneling/proxy framework used for covert communications and persistence inside victim networks.
Used by TeamPCP to establish persistent tunnels and proxy traffic through compromised container environments.
Used for establishing persistent tunnels and proxying through compromised container environments.
Tunneling/proxy tool used to establish connectivity, relay traffic, and maintain external access from compromised containers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.