Cybersecurity

On Sun, Oct 15, 2023, a threat actor known as GhostSocks announced a new Malware-as-a-Service (MaaS) on the Russian cybercrime forum xss[.]is. This service converts compromised Windows machines into residential SOCKS5 proxies, enabling the circumvention of anti-fraud measures and the monetization of infected devices.

Technical Overview

GhostSocks operates by transforming end-user devices into proxy nodes controlled by threat actors. The service includes a management panel that allows for build creation, proxy assignment, and real-time status monitoring. Weekly updates detail feature enhancements, and user feedback highlights the proxies’ reliability and low latency.

Adoption and Ecosystem Integration

GhostSocks has attracted interest across various cybercriminal operations, from minor fraud schemes to advanced ransomware groups. In February 2025, leaked chat logs from BlackBasta revealed discussions of GhostSocks being used with Lumma Stealer to maintain network access post-compromise. Although initially having a limited user base, adoption increased in February 2024 following a partnership with Lumma Stealer, which enabled automated installation of GhostSocks and credential channeling through the proxy infrastructure.

The software is available as a 32-bit DLL or standalone executable, both written in Go and obfuscated using the garble project. It encrypts strings and API symbols at build time, decrypting them at runtime. GhostSocks focuses on SOCKS5 proxy provisioning without persistence functionality. Upon execution, it utilizes a mutex to avoid multiple instances, seeks a dynamic configuration in the %TEMP% directory, and falls back to a hardcoded configuration if necessary. The decrypted configuration lists Command-and-Control (C2) URLs, iterating through these until a successful connection is achieved. Proxy credentials are generated and registered with the C2 via HTTP GET requests, appending an x-api-key header upon successful connection, and establishing a bi-directional SOCKS5 tunnel using go-socks5 and yamux libraries.

Mitigation Strategies

• Personal Precautions: Avoid executing untrusted files and ensure endpoint protection systems are updated to detect Go-based obfuscators.
• Organizational Defenses: Block known GhostSocks relay server IPs, monitor outbound SOCKS5 traffic for anomalies, enforce network segmentation, and scrutinize remote IP addresses, even if residential, to prevent unauthorized access.

Publicly available observables and Yara rules can be deployed for immediate threat detection. Although GhostSocks does not introduce new techniques, its emergence emphasizes the risk of compromised systems being exploited as proxies for further attacks. Priced as low as $0.50 per device per day, GhostSocks and similar proxy malware are expected to remain prevalent in underground markets. Consequently, diligent network monitoring and the proactive blocking of proxy protocols are critical for mitigating this threat.