GhostSocks is a Golang-based malware that operates as a SOCKS5 backconnect proxy, allowing cybercriminals to exploit compromised systems for financial gain. First identified on Russian-language forums in October 2023, it quickly spread to English-speaking criminal platforms by mid-2024, becoming part of the Malware-as-a-Service (MaaS) ecosystem. The malware’s integration with the LummaC2 information stealer, which was formalized in February 2024, significantly amplifies its capabilities. It enables advanced credential abuse and bypasses anti-fraud mechanisms, making it a valuable tool for attackers targeting high-value sectors such as financial institutions. Discounts for Lumma users have further incentivized the adoption of GhostSocks in the cybercrime landscape.
GhostSocks relies on a SOCKS5 proxy to reroute network traffic through compromised systems, effectively masking the attacker’s origin and allowing them to bypass geographic restrictions and IP-based security defenses. Upon execution, the malware creates an embedded configuration structure with hardcoded data and dynamic values, which is obfuscated to avoid detection. The configuration is stored locally before the malware establishes communication with its command-and-control (C2) infrastructure. By using intermediary Tier 2 relay servers, GhostSocks queries for Tier 1 relay IPs and ports, enabling it to set up TCP connections for SOCKS5 tunneling and perform fraudulent activities such as bypassing financial institution security checks.
The malware also extends its functionality beyond SOCKS5 proxying by incorporating backdoor capabilities, which allow attackers to execute arbitrary commands, modify SOCKS5 credentials, and download and execute additional malicious files. These features give attackers persistent access to infected systems, further enabling exploitation. Researchers have identified multiple C2 servers and backconnect hosts associated with GhostSocks across various networks, many of which are hosted on Russian-speaking Virtual Dedicated Server (VDS) providers like VDSina.
These servers typically operate on ports such as 3001, and their consistent C2 behavioral patterns, such as specific API key error responses, can be tracked to monitor the malware’s activity.
As part of the growing trend of commodified backconnect proxy malware, GhostSocks exemplifies the increasing sophistication of adversarial tools within the cybercrime ecosystem. Its seamless integration with the LummaC2 information stealer and availability on MaaS platforms have made it a popular choice among cybercriminals. The malware’s use of advanced evasion techniques, including anti-sandboxing and obfuscation tools like Garble and Gofuscator, allows it to stay under the radar of traditional detection systems. However, cybersecurity teams can enhance their defenses against this evolving threat by focusing on behavioral indicators, such as the unique C2 responses that GhostSocks relies on, to better track and mitigate its impact.
