Type
Campaign
Actors
Pub. date
June 30, 2025
Initial access
Password attack
Impact
Resource hijacking
Observed techniques
Observed tools
References
Status
Finalized
Last edited
Jul 2, 2025 8:21 AM
In one attack chain, a Bash script retrieved from 0x0[.]st
was used to install TinyProxy via common package managers like apt
, yum
, or dnf
. The script then modified configuration files to allow unrestricted external access (Allow 0.0.0.0/0
), exposing the proxy service on port 8888. Another variant involved installing Sing-box, a legitimate open-source proxy framework supporting advanced protocols like vmess-argo, vless-reality, and Hysteria2. The attackers issued numerous system reconnaissance commands before executing Sing-box install scripts from GitHub. While Sing-box is often used to bypass geo-blocks for services like ChatGPT or Netflix, in this context it was deployed on unauthorized servers, indicating abuse for illicit purposes.