SmuxProxy
SmuxProxy is a custom proxy utility used by the China-aligned Webworm APT group (also tracked as Space Pirates and UAT-8302). It is described as a utility based on iox, a port-forwarding and intranet proxy tool, and specifically as a custom iox variant with a hardcoded IP. In ESET reporting on Webworm’s 2025 activity, SmuxProxy was one of several custom proxy tools used alongside WormFrp, ChainWorm, and WormSocket, supplementing the group’s broader use of proxy and VPN infrastructure. ESET assessed that the breadth and complexity of these proxy tools suggest Webworm may be building a larger covert proxy network from compromised systems to increase stealth and cover its tracks. The malware was observed as dsocks.exe and detected by ESET as WinGo/Riskware.Iox.L; the associated SHA-1 hash is A3C077BDF8898E612CCD65BC82E7960834ADB2A9. Infrastructure tied to SmuxProxy includes servers at 64.176.85[.]158 and 104.243.23[.]43, both identified as SmuxProxy servers, and 144.168.60[.]233, which was identified as a reverse shell IP discovered on a SmuxProxy server. Reporting places SmuxProxy within Webworm operations targeting government organizations in Europe and a university in South Africa during 2025, but the provided content does not specify SmuxProxy-exclusive infection vectors beyond its role as a proxy utility within the intrusion set.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group expanded its use of proxy tools. Existing proxy capabilities were supplemented with custom tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket.
The group expanded its use of proxy tools. Existing proxy capabilities were supplemented with custom tools including WormFrp, ChainWorm, SmuxProxy, and WormSocket.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueServers for WormFrp, SmuxProxy, and WormSocket are hosted on cloud services operated on Vultr and IT7 Network ASNs.
Execution
1 technique144.168.60[.]233 ... Reverse shell IP discovered on SmuxProxy server.
Command and Control
4 techniquesWormFrp proxy tool. ... ChainWorm proxy tool. ... WormSocket proxy tool. ... SmuxProxy, a custom iox with hardcoded IP.
WormFrp, ChainWorm, WormSocket, SmuxProxy, and GraphWorm have the capability to connect to external proxies.
These custom proxy tools are not only capable of encrypting communications, but also support chaining across multiple hosts both internally and externally to a network
This confirms the actor delivers tools through operator-controlled open directories, not mass-mail or drive-by chains.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A customized iox-based proxy utility with hardcoded server IP and port, plus support for generating random keys and IVs for encrypted communications.
A custom proxy tool used by Webworm as part of expanded proxy capabilities and likely hidden network infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.