216.73.216.170

T1604: Proxy Through Victim

View on MITRE ATT&CK The MITRE Corporation · Published 30/11/2020 15:26 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1604
Confidence
100/100
Revoked
No
Published
30/11/2020 15:26
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Platforms

android

Description

Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot) The most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.

Kill chain phases

Kill chainPhase
mitre-mobile-attack defense-evasion

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references