S0040: HTRAN
Analyst context for executives and security teams
HTRAN matters because it is a connection-proxying tool that can help an operator interact with victim networks while obscuring their true location. For leaders, the business issue is not the tool name alone; it is whether the organization can see and investigate unusual proxying, port-forwarding, and hidden network paths on Linux and Windows systems before they undermine incident scoping and response decisions.
Executive priority
Prioritize validation of network visibility, endpoint telemetry, and incident response playbooks for proxy-based command-and-control and stealth behaviors. ATT&CK links HTRAN to Proxy, Process Injection, and Rootkit techniques, so the practical question for risk owners is whether SOC and IR teams can distinguish authorized relays and administrative tunneling from unexpected intermediaries that could mask adversary access. This is especially relevant for resilience, audit evidence, and investigations where source attribution, session tracing, and host integrity matter.
Technical view
HTRAN is documented for Linux and Windows and is associated through ATT&CK relationships with T1090 Proxy, T1055 Process Injection, and T1014 Rootkit. Because MITRE provides no specific detection guidance for this software object, defenders should validate coverage behaviorally: unexpected listener processes, traffic relay patterns, unusual inbound-to-outbound connection chaining, suspicious parent-child process activity, injected-process indicators where available, and signs that processes, services, files, or network connections are being hidden. Relationship context shows use by APT12 and GALLIUM, but local detection should focus on the observable behaviors rather than assuming attribution.
Likely telemetry
- Network flow records showing internal hosts acting as intermediaries or relays
- Firewall, proxy, VPN, and perimeter logs for unusual source/destination chaining
- Endpoint process creation and command-line telemetry on Linux and Windows
- Listening port and service inventory data
- EDR telemetry for process injection or abnormal process memory behavior
Detection direction
- Build or validate detections for hosts that unexpectedly accept inbound connections and initiate outbound sessions to separate destinations in a relay-like pattern.
- Tune allowlists carefully for legitimate administrative proxies, jump hosts, load balancers, and remote support tooling to reduce false positives.
- Correlate network relay behavior with endpoint process, service, and listening-port data; network-only visibility may miss process injection or rootkit-related hiding.
- Investigate mismatches between network observations and host-reported process or socket listings, as this can indicate stealth consistent with the related Rootkit technique.
- Use the related Proxy technique as the primary detection anchor, with Process Injection and Rootkit telemetry as escalation context rather than as guaranteed HTRAN indicators.
Mitigation priorities
- Maintain an approved inventory of legitimate proxies, relays, jump hosts, and remote administration pathways.
- Restrict unnecessary inbound listening services and outbound network paths from servers and workstations.
- Segment networks so ordinary endpoints cannot freely act as traffic intermediaries between sensitive zones and external destinations.
- Ensure endpoint monitoring is deployed and tamper-resistant on Linux and Windows systems that could be abused as relay points.
- Prepare IR procedures to preserve network flow, endpoint process, and host integrity evidence needed to reconstruct proxied sessions.
Analyst notes and limits
The supplied ATT&CK object identifies HTRAN as a publicly reported tool used to proxy connections through intermediate hops and disguise geographic location. ATT&CK relationship context links it to APT12 and GALLIUM and to Proxy, Process Injection, and Rootkit techniques. Those relationships are useful for defensive prioritization, but they should not be treated as proof of current activity or attribution in a local environment.
MITRE provides no official detection text for this software object, no ATT&CK tactics directly on the tool object, and no aliases or labels. Detection and mitigation recommendations therefore rely on the supplied description, platforms, external references, and stated ATT&CK relationships. Local baselines are required to separate malicious proxying from approved network administration and infrastructure operations.
HTRAN
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090 | Proxy | HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure.CitationOperation Quantum EntanglementCitationNCSC Joint Report Public Tools |
| Enterprise | T1014 | Rootkit | HTRAN can install a rootkit to hide network connections from the host OS.CitationNCSC Joint Report Public Tools |
| Enterprise | T1055 | Process Injection | HTRAN can inject into into running processes.CitationNCSC Joint Report Public Tools |
Groups, software, and campaigns
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0005: APT12
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 2f1019dffdab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Operation Quantum Entanglement
Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024.
Open source URL -
[2]
NCSC Joint Report Public Tools
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Open source URL -
[3]
HUC Packet Transmit Tool
(Citation: Operation Quantum Entanglement)
-
[4]
mitre-attack S0040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.