{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/proxy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["android","rat","mirax","malware-as-a-service","proxy"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mirax RAT is a newly identified Android Remote Access Trojan (RAT) that has been actively targeting users in Europe since March 2026. It\u0026rsquo;s offered as Malware-as-a-Service (MaaS) to a small group of affiliates, primarily Russian-speaking actors, through tiered subscription models. Since December 2025, Mirax has been promoted on underground forums and used in multiple campaigns. The RAT\u0026rsquo;s distribution relies on malicious advertisements on Meta platforms like Facebook, Instagram, and Messenger, with over 200,000 users potentially exposed to these ads. The malware uses dropper pages hosted on GitHub and relies on APK sideloading for execution, bypassing the Google Play Store\u0026rsquo;s security measures. Mirax\u0026rsquo;s capabilities extend beyond typical RAT functions, including turning infected devices into residential proxy nodes via a SOCKS5 proxy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates malicious ads on Facebook, Instagram, and Messenger promoting IPTV application services.\u003c/li\u003e\n\u003cli\u003eUsers click on the advertisements, which redirect them to dropper pages hosted on GitHub.\u003c/li\u003e\n\u003cli\u003eThe user is prompted to enable installation from unknown sources on their Android device.\u003c/li\u003e\n\u003cli\u003eThe malicious IPTV application is installed via APK sideloading.\u003c/li\u003e\n\u003cli\u003eThe application initiates a multi-stage infection process, utilizing Golden Encryption (Golden Crypt) to pack the payload.\u003c/li\u003e\n\u003cli\u003eThe payload, an encrypted Dalvik Executable (.dex) file, is decrypted during installation using the RC4 stream cipher with a hardcoded key.\u003c/li\u003e\n\u003cli\u003eMirax gains control of the device, enabling overlay and notification injection for credential theft.\u003c/li\u003e\n\u003cli\u003eAttackers can view the screen in real-time, navigate and control the device, manage applications, exfiltrate images and text, and launch a SOCKS5 proxy connection to proxy traffic through the infected device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mirax RAT campaign has the potential to affect a large number of Android users in Europe. The malicious advertisements have already reached over 200,000 users. Successful infections can lead to credential theft, financial fraud, data exfiltration, and the compromised device being used as a residential proxy, potentially masking malicious activity and further expanding the attacker\u0026rsquo;s reach. Banks and financial institutions are specifically highlighted as high-value targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to GitHub domains associated with APK downloads, and correlate that with android device user agents (Network Connection and User Agent logs).\u003c/li\u003e\n\u003cli\u003eImplement detections for process creation events related to sideloaded APK installations, specifically looking for unusual parent-child process relationships (Process Creation Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the execution of applications from untrusted sources and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for SOCKS5 proxy traffic originating from Android devices, which may indicate compromised devices acting as residential proxies (Network Connection Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-mirax-rat/","summary":"Mirax RAT, a new Android RAT distributed as MaaS, is targeting European users by turning infected devices into residential proxy nodes and enabling credential theft via overlay and notification injection.","title":"Mirax RAT Targeting Android Users in Europe","url":"https://feed.craftedsignal.io/briefs/2026-04-mirax-rat/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","tunneling","yuze","proxy"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using \u003ccode\u003erundll32\u003c/code\u003e to load \u003ccode\u003eyuze.dll\u003c/code\u003e with the \u003ccode\u003eRunYuze\u003c/code\u003e export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving \u0026ldquo;reverse,\u0026rdquo; \u0026ldquo;-c,\u0026rdquo; \u0026ldquo;proxy,\u0026rdquo; \u0026ldquo;fwd,\u0026rdquo; and \u0026ldquo;-l\u0026rdquo; parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops the \u003ccode\u003eyuze.dll\u003c/code\u003e file onto the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute \u003ccode\u003eyuze.dll\u003c/code\u003e, calling the \u003ccode\u003eRunYuze\u003c/code\u003e export.\u003c/li\u003e\n\u003cli\u003eThe command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., \u003ccode\u003erundll32 yuze.dll,RunYuze reverse -c \u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to pivot within the network and access internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Yuze Tunneling via Rundll32\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003eyuze.dll\u003c/code\u003e via \u003ccode\u003erundll32.exe\u003c/code\u003e with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003erundll32.exe\u003c/code\u003e executing \u003ccode\u003eyuze.dll\u003c/code\u003e, focusing on the parent processes and network connections.\u003c/li\u003e\n\u003cli\u003eBlock the C2/relay IP or domain found in the \u003ccode\u003e-c\u003c/code\u003e argument at DNS/firewall, as described in the Triage and Analysis section of the rule\u0026rsquo;s note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-yuze-tunneling/","summary":"This alert detects potential protocol tunneling activity via the execution of Yuze, a lightweight open-source tunneling tool often used by threat actors for intranet penetration via forward and reverse SOCKS5 proxy tunneling.","title":"Potential Protocol Tunneling via Yuze","url":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["high"],"_cs_tags":["identity","okta","proxy","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting Okta user session starts that originate from anonymizing proxy services. Anonymizing proxies can be used by malicious actors to mask their true IP addresses and location, making it more difficult to trace their activities. The use of such proxies during Okta authentication is suspicious because it bypasses geographical restrictions and may indicate compromised credentials. Defenders should be aware that legitimate users may occasionally use anonymizing proxies for privacy reasons, but the activity warrants close scrutiny. The detection of this activity relies on Okta system logs and the security context of the authentication event.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains valid Okta credentials through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eAttacker configures their network connection to route traffic through an anonymizing proxy service (e.g., Tor, VPN).\u003c/li\u003e\n\u003cli\u003eAttacker initiates an Okta user session using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eOkta system logs record a \u0026ldquo;user.session.start\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;securityContext.isProxy\u0026rdquo; field within the Okta event is set to \u0026ldquo;true\u0026rdquo;, indicating the use of a proxy service.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the Okta account and any associated applications or resources.\u003c/li\u003e\n\u003cli\u003eAttacker may then attempt to escalate privileges, access sensitive data, or perform other malicious activities within the Okta environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt lateral movement to other systems within the organization that trust Okta for authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive applications and data protected by Okta. This could result in data breaches, financial loss, or reputational damage. Depending on the compromised user\u0026rsquo;s privileges, an attacker may be able to escalate privileges and gain control over critical systems. The number of potential victims depends on the scope of applications using Okta for authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Okta user sessions initiated through anonymizing proxies (logsource: okta, service: okta).\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the Sigma rule to determine the legitimacy of the proxy usage.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eMonitor Okta system logs for other suspicious activities, such as failed login attempts or unusual access patterns (references: Okta System Log API).\u003c/li\u003e\n\u003cli\u003eReview and enforce Okta\u0026rsquo;s cross-tenant impersonation prevention and detection measures (references: Okta cross-tenant impersonation article).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-okta-anonymizing-proxy/","summary":"Detection of Okta user sessions initiated through anonymizing proxy services, potentially indicating malicious activity or attempts to evade security controls.","title":"Okta User Session Start via Anonymizing Proxy Service","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-anonymizing-proxy/"}],"language":"en","title":"CraftedSignal Threat Feed — Proxy","version":"https://jsonfeed.org/version/1.1"}