{
	"id": "162d4b64-6d10-4f7e-b589-1845d30e68b8",
	"created_at": "2026-04-06T00:18:00.158252Z",
	"updated_at": "2026-04-10T03:20:02.006846Z",
	"deleted_at": null,
	"sha1_hash": "79d0b7304af31871b9a9a6c6e4101391acbae482",
	"title": "Defying tunneling: A Wicked approach to detecting malicious network traffic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65623,
	"plain_text": "Defying tunneling: A Wicked approach to detecting malicious\r\nnetwork traffic\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 16:14:35 UTC\r\nTraffic “tunnels” have long been a concern for security professionals because they allow an adversary to conceal\r\nmalicious network traffic in ways that make identifying and eradicating them much more challenging. Since most\r\nclient endpoints today use private IP addresses with Network Address Translation (NAT) to broker their traffic to\r\nthe internet itself, an adversary cannot simply establish a direct inbound connection to malware running on a NAT-ed endpoint. Therefore, adversaries have started using reverse tunneling tools to provide this functionality.\r\nReverse tunneling tools allow software running on an endpoint to establish an outbound connection to the\r\ninternet-based tunnel provider, who then provides the “inbound” path to the client system using the reverse tunnel.\r\nThis technique can often flip the script on the long-held concept of typical traffic behavior.\r\nWith some help from Oz’s favorite team of witches, let’s fly into the world of tunneling techniques commonly\r\nused by adversaries to identify exactly how common some of the major tunneling providers are for various threat\r\nactors.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 1 of 9\n\nWe’ll also explore another technology often used alongside tunnels: dynamic DNS hostnames. Dynamic DNS\r\nprovides a consistent hostname to access a host with a changing internet-facing IP address, as is often the case\r\nwith consumer internet service providers (ISP). If an IP address changes without using a dynamic DNS hostname,\r\nconnecting to that system becomes a significant challenge.\r\nAs with so many technological developments like these, there are both legitimate and malicious uses, making it\r\ntough to identify behavior that is good versus… wicked.\r\nThe Grimmerie (our research process)\r\nFirst, let’s cover the spells methodology we used to establish these findings. We searched the public VirusTotal\r\n(VT) collection of four variants of malware, specifically focusing on malware with configuration data that VT has\r\nparsed and provided for review. Then, we loaded those configuration settings into an analytic tool called Synapse,\r\nfrom the Vertex Project, where we could pivot into a wider set of indicators, including tunneling or dynamic DNS\r\ntechniques. This allowed us to examine over 150,000 samples from several major malware families and report on\r\nthe prevalence of their behaviors.\r\nWe should also note that this analysis is ongoing. We’ll examine results collected from four variants of malware so\r\nfar, covering December 2024. Given those constraints, consider this information as a work in progress that we’ll\r\ncontinue to examine. As our collection expands, the results will become more comprehensive. You could say that\r\nwe’ve decided to make this our new project and we’re looking forward to seeing which tunnels are the most…\r\npopular.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 2 of 9\n\nResults: No good DNS goes unpunished\r\nXWorm\r\nThis malware is a versatile one, often used as a remote access tool (RAT). RATs are a common theme in these\r\nresults because they are generally installed on client systems and the adversary wants to connect back to the\r\nmalware to use its functionality. RATs are often seen as commodity tools, with command and control (C2)\r\ninfrastructure that is less durable. This is in contrast to a tool like the ever-popular Cobalt Strike, in which the\r\nmalware on the victim’s system initiates an outbound connection to a semi-consistent C2 server. An adversary’s\r\nlongevity in the latter case becomes a weakness since defenders can more easily block traffic involving an\r\nidentified C2 server. Regardless, the presence of a RAT is almost universally seen as…something bad.\r\nEach of the samples below correspond to activity during the month of December 2024.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 3 of 9\n\nAdversaries running XWorm overwhelmingly prefer ply[.]gg domains. This domain is used by the Playit\r\nservice, which caters to gamers who want to run their own gaming server from home rather than paying for\r\nexpensive hosting services. The host runs the Playit client to establish an outbound connection to the Playit server,\r\nwhich then acts as a traffic forwarder. Players connect to the internet-based Playit server, which sends their traffic\r\nto the host through the tunnel.\r\nHowever, this service works regardless of what kind of traffic it is forwarding. To Playit, Minecraft’s traffic is the\r\nsame as that from a RAT like XWorm. From the defender’s perspective, it appears that the malicious traffic\r\noriginates from Playit’s infrastructure, hiding the true origin.\r\nThe results also reflect a large number of other domains that serve similar purposes but the ply[.]gg domain is a\r\nclear favorite.\r\nAsyncRAT\r\nThe second sample is another RAT: AsyncRAT. This one adds to the complement of typical RAT capabilities\r\nincluding botnet functionality, credential stealing, and more. Notably, this tool exists as an open source project on\r\nGitHub, leaning heavily on a dubious disclaimer that it’s not to be used for nefarious purposes. However, existing\r\non such a public platform means that adversaries of all walks and budgets can benefit from its use. AsyncRAT has\r\nbeen associated with state-level threat actors, vicious ransomware gangs, and entry-level hacking groups.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 4 of 9\n\nThis tool is a little more dispersed in its domains than XWorm, but still shows a strong tendency to use\r\nduckdns[.]org domains. DuckDNS provides dynamic DNS functionality by redirecting traffic using Amazon\r\nAWS resources. However, unlike the Playit service, DuckDNS does not provide any tunneling features. This\r\nmeans an AsyncRAT operator using DuckDNS hostnames would need to include a separate tunneling provider, or\r\nrely only on using hosts that have world-routable IP addresses. (Perhaps tunneling wickedness has to be thrust\r\nupon it.)\r\nIt’s also interesting to note that several domains are commonly observed across multiple malware variants we\r\ndiscuss here. Again, since the tunneling and dynamic DNS services operate on any kind of traffic, the assortment\r\nof providers in these areas are often used heavily by malicious actors of all kinds.\r\nDCRat\r\nThe code for DCRat was cloned from AsyncRAT with a few underlying changes. Despite this common\r\nfoundation, adversaries using DCRat seem to prefer portmap[.]host dynamic DNS hosting for C2, whereas in\r\nAsyncRAT’s distribution that domain was further down the list.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 5 of 9\n\nThe varied network behaviors between DCRat and ASyncRAT are useful to differentiate what may be very similar\r\nbinaries due to their shared parentage.\r\nnjRAT\r\nnjRAT provides a variety of spyware-like and other surveillance functions, including keylogging, camera takeover,\r\nfilesystem interactivity, and more. Notably, this tool also provides the ability to configure itself for spreading\r\nthrough removable USB drives.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 6 of 9\n\nThe njRAT samples also reflected a strong preference for ply[.]gg domains as well as the ddns[.]net domain.\r\nThis domain is one of several offered by the No-IP service, a legitimate company that provides services to\r\ncountless administrators and other users. Other domains provided by No-IP are near the top of the list as well,\r\nincluding no-ip[.]biz , no-ip[.]org , and zapto[.]org . This is certainly not a comprehensive list of No-IP-provided domains among the samples, but it does show the tool consistently uses that particular service.\r\nDetecting through life\r\nThese are only four of the countless malware variants that take advantage of tunneling and dynamic DNS\r\nhostnames. Let’s now consider how findings like this can be used to improve your overall security posture and\r\noperations.\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 7 of 9\n\nSince most of our samples show a heavy reliance on just a few tunneling and dynamic DNS providers, an obvious\r\noption is to start blocking traffic to and from those providers. This requires DNS and/or web proxy visibility, or an\r\nendpoint-based capability that can monitor DNS behavior. However, this approach is not a panacea, as the\r\nfindings above show that some malware has been observed to use numerous domains and providers.\r\nAlmost inevitably, those providers could also include business critical functions that cannot be blocked outright. A\r\nrecent case involving a state-level adversary showed the threat actor using tunneling features from Microsoft’s\r\nVisual Studio Code software, which is extensively used by developers for their daily work. Clearly an outright\r\nblock of this feature would completely inhibit software developers’ workflows.\r\nConsider implementing DNS sinkhole-type controls on dynamic DNS domains that your organization\r\ndoes not use.\r\nTherefore, it may be advisable to block or detect network connections to tunneling or dynamic DNS domains–\r\ndepending, of course, on your business needs. A good starting point is to consider implementing DNS sinkhole-type controls on dynamic DNS domains that your organization does not use. There are numerous dynamic DNS\r\nproviders, and a good resource to get started is this list from MISP. If your organization uses dynamic DNS\r\nproviders, that’s awesome–we’ve run into many that do. Chances are good that you don’t use EVERY provider,\r\nthough, so a good step for you is to allowlist just the ones you use for your organization, implementing alerting or\r\nblocking measures on any others.\r\nWhile the statistics reported here only reflect one short month of data, they provide a useful snapshot. This\r\nbaseline is a solid starting point from which we can report developments in the future.\r\nYour defense is unlimited\r\nAs with any security control measures, it’s key to understand the scope of the threat and how it may affect your\r\norganization. Then, develop a plan that mitigates the risk to you and implement it without significant negative\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 8 of 9\n\nimpact to your business or mission needs. Tunneling is but one specific technique to be aware of but this research\r\nprovides actionable insight on how it can be managed..for good.\r\nSource: https://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nhttps://redcanary.com/blog/threat-detection/network-traffic-tunneling/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/threat-detection/network-traffic-tunneling/"
	],
	"report_names": [
		"network-traffic-tunneling"
	],
	"threat_actors": [],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79d0b7304af31871b9a9a6c6e4101391acbae482.pdf",
		"text": "https://archive.orkl.eu/79d0b7304af31871b9a9a6c6e4101391acbae482.txt",
		"img": "https://archive.orkl.eu/79d0b7304af31871b9a9a6c6e4101391acbae482.jpg"
	}
}