APT / THREAT GROUP
SoxAgent
2
aliases
Last seen:Jun 21, 2026
Intelligence Profile
According to TeamT5, SoxAgent is a Linux backdoor that covertly converts compromised hosts into SOCKS5 relay nodes. It maintains a persistent reverse connection to a hardcoded C2 and negotiates AES-encrypted tunnels, enabling the attacker to forward TCP traffic through the victim to conceal their origin. It supports remote updates, self-deletion, and heartbeat reporting with falsified tunnel metrics to enhance stealth. The activity associated with SoxAgent is part of a campaign that deployed the backdoor to form an ORB network tracked as GOBLIN14.
Threat Analysis
SoxAgent is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
SoxAgentelf.soxagent
External Intelligence
Malpedia: elf.soxagentResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.