Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

GhostSocks Malware Evades Detection Methods

February 24, 2025
Reading Time: 2 mins read
in Alerts
ChatGPT Phishing Campaign Targets User Data

GhostSocks is a Golang-based malware that operates as a SOCKS5 backconnect proxy, allowing cybercriminals to exploit compromised systems for financial gain. First identified on Russian-language forums in October 2023, it quickly spread to English-speaking criminal platforms by mid-2024, becoming part of the Malware-as-a-Service (MaaS) ecosystem. The malware’s integration with the LummaC2 information stealer, which was formalized in February 2024, significantly amplifies its capabilities. It enables advanced credential abuse and bypasses anti-fraud mechanisms, making it a valuable tool for attackers targeting high-value sectors such as financial institutions. Discounts for Lumma users have further incentivized the adoption of GhostSocks in the cybercrime landscape.

GhostSocks relies on a SOCKS5 proxy to reroute network traffic through compromised systems, effectively masking the attacker’s origin and allowing them to bypass geographic restrictions and IP-based security defenses. Upon execution, the malware creates an embedded configuration structure with hardcoded data and dynamic values, which is obfuscated to avoid detection. The configuration is stored locally before the malware establishes communication with its command-and-control (C2) infrastructure. By using intermediary Tier 2 relay servers, GhostSocks queries for Tier 1 relay IPs and ports, enabling it to set up TCP connections for SOCKS5 tunneling and perform fraudulent activities such as bypassing financial institution security checks.

The malware also extends its functionality beyond SOCKS5 proxying by incorporating backdoor capabilities, which allow attackers to execute arbitrary commands, modify SOCKS5 credentials, and download and execute additional malicious files. These features give attackers persistent access to infected systems, further enabling exploitation. Researchers have identified multiple C2 servers and backconnect hosts associated with GhostSocks across various networks, many of which are hosted on Russian-speaking Virtual Dedicated Server (VDS) providers like VDSina.

These servers typically operate on ports such as 3001, and their consistent C2 behavioral patterns, such as specific API key error responses, can be tracked to monitor the malware’s activity.

As part of the growing trend of commodified backconnect proxy malware, GhostSocks exemplifies the increasing sophistication of adversarial tools within the cybercrime ecosystem. Its seamless integration with the LummaC2 information stealer and availability on MaaS platforms have made it a popular choice among cybercriminals. The malware’s use of advanced evasion techniques, including anti-sandboxing and obfuscation tools like Garble and Gofuscator, allows it to stay under the radar of traditional detection systems. However, cybersecurity teams can enhance their defenses against this evolving threat by focusing on behavioral indicators, such as the unique C2 responses that GhostSocks relies on, to better track and mitigate its impact.

Reference:
  • GhostSocks Malware Uses SOCKS5 Proxy for Evasion and Financial Exploitation
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityFebruary 2025
ADVERTISEMENT

Related Posts

FreeDrain Phishing Steals Crypto Funds

FBI Warns Cybercriminals Exploit Routers

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

X Scam Targets Crypto Users with Fake Ads

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

FreeDrain Phishing Steals Crypto Funds

May 9, 2025
COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial