IOX
IOX is a Go-written port-forwarding, intranet proxy, and network tunneling tool used to establish covert communication channels between compromised environments and attacker-controlled infrastructure. Reporting in the provided content describes it being used to create SOCKS5 proxies, HTTPS tunnels, reverse communication channels, and general network tunneling/port forwarding. It has been observed alongside other tunneling tools such as GOST, FRP/FRPS, Wstunnel, SoftEther VPN, and tunnel-core variants.
The content links IOX to multiple China-aligned espionage operations and threat clusters. ESET reported that Webworm continued using the open-source proxy tools iox and frp in 2025 as part of a broader shift away from traditional RATs toward legitimate, semi-legitimate, and custom proxy tooling; Webworm used these tools together with SoftEther VPN to increase stealth and cover tracks while targeting government entities in Belgium, Italy, Serbia, and Poland, and a university in South Africa. Trend Micro reported SHADOW-EARTH-053 using IOX Proxy to create covert communication channels after exploiting unpatched Microsoft Exchange and IIS systems via the ProxyLogon chain and deploying GODZILLA web shells and ShadowPad; victims included government, defense-adjacent, transportation, technology, and critical infrastructure organizations across South Asia, Southeast Asia, East Asia, and at least one victim in Poland. The content also states that Cinnamon Tempest used a customized version of the Iox port-forwarding and proxy tool. Unit 42 additionally reported TGR-STA-1030/UNC6619 using IOX with GOST and FRPS during the Shadow Campaigns, which targeted at least 70 government and critical infrastructure organizations across 37 countries.
High-confidence behavior directly described in the content includes use of IOX for port forwarding, intranet proxying, SOCKS5 proxying, HTTPS tunneling, and reverse communication/tunneling to external infrastructure. No standalone malware-specific indicators of compromise such as hashes, domains, or file paths for IOX itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While the group continued to use existing proxy solutions, specifically the Go-written iox (port forwarding and intranet proxy tool) and frp (fast reverse proxy)
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool.
“Network tunneling was achieved using GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.”
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Persistence
2 techniquesWe observed the group leveraging the IOX proxy by creating local accounts and setting the LocalAccountTokenFilterPolicy value to 1.
We observed the group leveraging the IOX proxy by creating local accounts and setting the LocalAccountTokenFilterPolicy value to 1.
Defense Impairment
1 techniqueLateral Movement
2 techniques$ proxychains rdesktop 192.168.0.100:3389 ... For example, we forward 3389 port in the intranet to our VPS
This configuration grants full administrative privileges to remote connections from all local administrators... enabling lateral movement via Pass-the-Hash.
Command and Control
6 techniquesTool for port forward & intranet proxy, just like lcx / ew , but better ... Start Socks5 server on be-controlled host, then forward to internet VPS ... ./iox proxy -r 1.1.1.1:9999 ./iox proxy -l 9999 -l 1080 | Listen on 0.0.0.0:8888 and 0.0.0.0:9999 , forward traffic between 2 connections ./iox fwd -l 8888 -l 9999 ... For example, we forward 3389 port in the intranet to our VPS
Several entries mention use of proxy and tunneling tools including PLINK, Venom proxy, GOST reverse proxy, Ligolo, Cloudflared, rsocx reverse proxy, Iox proxy tool, NPS tunneling tool, and AirVPN.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants. These tools established SOCKS5 proxies, HTTPS tunnels, and reverse communication channels to attacker infrastructure.
Observed tooling included IOX Proxy, GOST, Wstunnel, and multiple tunnel-core.exe variants.
“Network tunneling was achieved using GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.”
What's more, iox provides traffic encryption feature (it's useful when there is a IDS on target) ... traffic between be-controlled host and our VPS:8888 will be encrypted ... then encrypt with Xchacha20
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An existing Go-written port forwarding and intranet proxy tool used by Webworm as part of its proxy infrastructure.
A tunneling/proxy tool used to establish covert outbound communications, including SOCKS5 proxying and reverse channels, to maintain persistence and operational redundancy.
A proxy tool used to create covert communication channels within the intrusion.
Tunneling/pivoting tool used to route traffic and facilitate lateral movement within victim networks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.