GhostSocks Malware: A New Cyber Threat Leveraging SOCKS5 Backconnect for Evasion

A recent report from Infrawatch has exposed GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, which has been actively distributed in cybercriminal communities since late 2023. Initially advertised on Russian-language forums, its reach expanded to English-speaking markets in July 2024.

GhostSocks is sold under a MaaS (Malware-as-a-Service) model, making it easily accessible to cybercriminals. Threat actors can subscribe to GhostSocks independently for $150 in Bitcoin or leverage its deep integration with LummaC2, a notorious information stealer.

“The integration of GhostSocks with Lumma, facilitated by features like automatic provisioning and discounted pricing for Lumma users, highlights a deliberate effort to enhance post-infection capabilities,” the report says.

This partnership allows cybercriminals to maximize their profits by using LummaC2 to steal credentials and GhostSocks to establish persistent network access.

Upon execution, GhostSocks:

• Uses heavy obfuscation techniques, including Garble and Gofuscator.
• Stores its configuration in a JSON object written to %APPDATA%\config.
• Communicates with a Command and Control (C2) server, using an intermediary relay structure for stealth.

GhostSocks enables cybercriminals to leverage compromised systems as proxies, allowing them to:

• Bypass IP-based fraud detection systems.
• Evade geolocation-based access restrictions imposed by financial institutions.
• Obfuscate attacker origin, making forensic tracking difficult.

Beyond its SOCKS5 proxy functionality, GhostSocks includes:

1. Remote Command Execution – Runs arbitrary shell commands on infected systems.
2. Credential Manipulation – Modifies SOCKS5 authentication credentials dynamically.
3. File Download & Execution – Retrieves and executes additional payloads from remote locations.

Infrawatch identified multiple C2 servers and Tier 1 relays used in GhostSocks operations, with most hosted on VDSina, a Russian-speaking Virtual Dedicated Server (VDS) provider. These servers enable residential proxy abuse, further increasing the malware’s effectiveness in bypassing anti-fraud protections.

Related Posts:

• QBot Resurfaces: New BackConnect Malware Signals a Dangerous Evolution
• GoTitan Botnet Emerges Amidst Active Exploitation of Apache Vulnerability
• SADBRIDGE Loader Unveils GOSAR Backdoor in Cyber Attacks