ProxyBlob – SOCKS5 Over Azure Blob Storage for Covert Network Tunneling

ProxyBlob is an open-source tool by Quarkslab that creates a SOCKS5 proxy tunnel through Azure Blob Storage. It’s designed for restricted environments where outbound connectivity is limited to trusted cloud services such as *.blob.core.windows.net

A threat operator or pen tester deploys a lightweight agent inside the target network and a proxy on their local machine. They communicate by writing and reading blob, effectively tunnelling TCP and UDP traffic covertly through Azure’s object storage service.

Core Features

Full SOCKS5 support, including CONNECT, UDP ASSOCIATE, IPv6
Encrypted data channels using ChaCha20-Poly1305 by default
Local proxy server, no inbound listener required
Compatible with Azure Blob and Azurite for local testing

Installation & Setup

On Fedora/Debian:

git clone https://github.com/quarkslab/proxyblob

cd proxyblob

make

This produces two binaries:

proxy: you run this on your local machine
agent: you run this inside the restricted environment

Create an Azure storage account or use Azurite locally, then configure:

{

"storage_account_name": "yourname",

"storage_account_key": "EARLIER_GENERATED_KEY",

"storage_url": "http://localhost:10000/" // (omit for real Azure)

}

Real-World Use Cases

1. Red Team Covert Access

During an “assumed breach” assessment, Quarkslab identified outbound Azure Blob access allowed from internally restricted contexts. By deploying ProxyBlob, operators tunnelled remote desktop sessions covertly, bypassing traditional firewall restrictions

2. Testing Environment Evaders

Security teams use ProxyBlob to verify how easily compromised hosts could exfiltrate data via sanctioned services like azureblobstorage. It highlights gaps in zero-trust and internal flow segmentation.

3. Local Testing with Azurite

Developers and auditors can run ProxyBlob locally using Azurite, Microsoft’s open-source storage emulator. This supports safe proof-of-concept testing for red/blue teams.

Performance & Limitations

ProxyBlob is not high-speed instrumentation; it achieved ~1.5 Mbps transfers across regions in tests, a threshold sufficient for file transfers, interactive shell sessions, or RDP within internal networks.

Workload optimisation involves choosing storage locations closest to the agent and proxy to reduce latency.

Operational Considerations

OPSEC hygiene: containers and tokens should be rotated regularly to avoid reuse
Firewall monitoring: requests to blob.core.windows.net may appear benign, but could indicate covert channels
Credential hygiene: minimise SAS token scope and lifetime
Audit logs: review storage access logs for unusual agent interactions

Conclusion

ProxyBlob is a novel and technically elegant method to tunnel sockets via an object storage provider, leveraging the near-universal reachability of Azure Blob endpoints. It highlights how legitimate cloud services can serve as covert channels in network defence and red team engagements.

For red teamers, penetration testers, and network defenders, ProxyBlob is a crucial tool for understanding and testing potential Azure-based covert exfiltration channels.

You can read more or download ProxyBlob here: https://github.com/quarkslab/proxyblob.