T1090.001: T1090.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 15/03/2020 00:08 · Modified 14/04/2026 11:51

Essential information

MITRE technique ID: T1090.001
Confidence: 100/100
Revoked: No
Published: 15/03/2020 00:08
Modified: 14/04/2026 11:51
Author / Source: The MITRE Corporation

Aliases

Internal Proxy

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Trend Micro APT Attack Tools
mitre-attack (T1090.001)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (21)

DragonForce uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Velvet Ant uses

The MITRE Corporation Confidence 100

[Velvet Ant](https://attack.mitre.org/groups/G1047) is a threat actor operating since at least 2021. [Velvet Ant](https://attack.mitre.org/groups/G1047) is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Higaisa uses

The MITRE Corporation Confidence 100

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SloppyLemming uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Weaver Ant uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
OP-512 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–21 of 21

Duqu uses
POISONPLUG.SHADOW uses

Family
Qilin uses

Family
StarProxy uses

Family
BabyShark - S0414 uses

Family
W32.Stuxnet uses

Family
Cobalt Strike uses

Family
AGENTPSD uses

Family
BurrowShell uses

Family
Gafgyt uses

Family
CHOPSTICK uses
SweetPotato uses

Family

← Previous

Page / 7

1–12 of 75

Attackers Weaponize Microsoft Teams Relays to Stay Hidden related

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
The Gentleman Ransomware | Defense Evasion TTPs Uncovered related

AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect … related

3 CVEs 20 MITREs 1 Malware 25 Observables
Disclosing new PebbleDash-based tools related

AlienVault Confidence 100 20 MITREs 16 Malwares 25 IOCs 25 Observables 1 APT
Iran-Linked Hackers Breached Korean Electronics Maker in Global … related

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned … related

15 MITREs 9 Observables
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government … related

5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
Komari Red: The Monitoring Tool with a Built-in … related

AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Analysis of Attack Activities Using SSH+TOR Tunnels to … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
Q1 2026 Malware Statistics Report for Linux SSH … related

16 MITREs 10 Malwares 1 Observable

← Previous

Page / 2

1–12 of 13

Vulnerabilities (CVE) (13)

CVE-2022-0543 targets

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2023-52271 targets

6.5 Medium

The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …

Attack vector: LOCAL
Published: 08/01/2024
Modified: 16/06/2026

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-26858 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-1055 targets

5.6 Medium

A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL …

Attack vector: LOCAL
Published: 11/06/2025
Modified: 16/06/2026

Awaiting Analysis

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2025-49844 targets

9.9 Critical

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a …

Published: 03/10/2025
Modified: 03/10/2025

Received

CVE-2019-16098 targets

7.8 High

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, …

Attack vector: LOCAL
Published: 11/09/2019
Modified: 20/12/2025

CVE-2025-11953 KEV targets

9.8 Critical

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes …

Attack vector: NETWORK
Published: 03/11/2025
Modified: 07/02/2026

Awaiting Analysis

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

← Previous

Page / 2

1–12 of 13

T1090 subtechnique-of

Proxy MITRE

Campaign (3)

SolarWinds Compromise uses
Operation Wocao uses
APT28 Nearest Neighbor Campaign uses

Tool (2)

Mythic uses

The MITRE Corporation Confidence 100

[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed…
Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…

Contact About Legal notice Privacy policy Terms of use