HOMETHREATSSoxAgent
APT / THREAT GROUP

SoxAgent

2
aliases
Last seen:Jun 21, 2026

Intelligence Profile

According to TeamT5, SoxAgent is a Linux backdoor that covertly converts compromised hosts into SOCKS5 relay nodes. It maintains a persistent reverse connection to a hardcoded C2 and negotiates AES-encrypted tunnels, enabling the attacker to forward TCP traffic through the victim to conceal their origin. It supports remote updates, self-deletion, and heartbeat reporting with falsified tunnel metrics to enhance stealth. The activity associated with SoxAgent is part of a campaign that deployed the backdoor to form an ORB network tracked as GOBLIN14.

Threat Analysis

SoxAgent is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

SoxAgentelf.soxagent

External Intelligence

Malpedia: elf.soxagent

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.