Skuggaheimar/Threat Intelligence/Ligolo-ng
LIGOLO-NG
LIGOLO
SECURITY TOOL / TECHNIQUE
OPEN SOURCE
Threat IntelligenceMalwareJune 4, 202515 min read

Ligolo-ng: Threat Intelligence Profile

Tunneling/pivoting tool

Scroll

Ligolo-ng (also known as Ligolo, Ligolo-ng) is a security tool / technique active since 2021. Tunneling/pivoting tool. Key characteristics include: TUN interface tunneling, no SOCKS needed, reverse connections, used in pentesting and by threat actors.

Overview & Background

Tunneling/pivoting tool. First identified in 2021, this threat is attributed to Open source.

Threat Assessment

Ligolo-ng remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this security tool / technique.

Technical Analysis

Ligolo-ng employs the following capabilities and techniques:

MITRE ATT&CK Mapping

TacticTechniqueUsage
Initial AccessT1566.001 Phishing AttachmentCommon delivery vector
ExecutionT1204.002 Malicious FileUser-triggered execution
PersistenceT1547.001 Registry Run KeysAutostart persistence
Defense EvasionT1027 Obfuscated FilesPayload obfuscation
C2T1071.001 Web ProtocolsHTTP/HTTPS C2

Detection & Defense

Defend Against Ligolo-ng

Mjolnir Security provides detection and response capabilities against Ligolo-ng and similar threats.

Threat DetectionIncident ResponseThreat HuntingMDR ServicesThreat Intelligence
  • Proactive Threat Hunting Hunt for Ligolo-ng indicators and TTPs within your environment.
  • Threat Intelligence Monitor Ligolo-ng campaigns and infrastructure changes.
  • 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Written by: Mjolnir Security  |  Published: June 4, 2025
Related Reports
Tool

Cobalt Strike: Adversary's Arsenal

Read Report →
Tool

Metasploit Framework

Read Report →