Tip
There are a number of network tunneling tools available online for managing and interacting with systems across different environments. They allow users to securely connect to remote servers or services through encrypted channels that can bypass network restrictions and firewalls. These tools may also expose local development servers to the internet for testing and sharing. They are widely used for tasks like remote administration and development workflows, offering flexibility in network management.
Important
Cybercriminals can utilize network tunneling tools to create encrypted tunnels, evade detection, and access restricted networks. These tools essentially facilitate command and control for an adversary, helping them to maintain a foothold and orchestrate further malicious activities.
| Tool Name | Threat Group Usage |
|---|---|
| Chisel | BlackSuit, Royal, AvosLocker, Cactus, Yanluowang |
| Cloudflared | BlackSuit, Royal, Akira, Scattered Spider* |
| GOST | Cicada3301 |
| OpenSSH | BlackSuit, Royal, Akira, Scattered Spider*, DarkBit+ |
| Ligolo | AvosLocker, LockBit, *Br0k3r, DarkBit+ |
| Ngrok | Akira, BlackCat, Karakurt, Scattered Spider*, LockBit, *Br0k3r |
| NSOCKS | Scattered Spider* |
| Plink | BlackCat, PLAY, LockBit, Scattered Spider*, DarkSide, Cicada3301 |
| Proxifier | Scattered Spider*, Proxifier |
| Rsocks | Scattered Spider* |
| Socat | Scattered Spider* |
| Sshimpanzee | Scattered Spider* |
| Tailscale | Scattered Spider* |
| Termite | Cuba |
| TrueSocks | Scattered Spider* |
| Windscribe (Wstunnel) | Scattered Spider* |