A novel Malware-as-a-Service (MaaS) offering named GhostSocks has surged in popularity among cybercriminals by enabling compromised endpoints to function as residential proxies.
First marketed on the Russian forum xss[.]is on October 15, 2023, GhostSocks capitalizes on legitimate IP addresses to route fraudulent traffic, effectively evading anti-fraud systems and security controls.
Its ease of use and integration with existing malware frameworks have led to adoption by both low-level fraudsters and sophisticated ransomware groups seeking persistent access.
GhostSocks is delivered through a web-based panel that allows customers to generate customized builds in the form of 32-bit DLLs or standalone executables.
Both payload types are compiled in Go and utilize the open-source Garble project to obfuscate strings and symbols, which are decrypted only at runtime, thereby hindering static analysis.
To prevent multiple instances from running concurrently, GhostSocks implements a mutex named “start to run.” On execution, it checks the %TEMP% directory for a dynamic configuration file containing relay server addresses.
If this file is absent, GhostSocks defaults to a hardcoded list of command-and-control (C2) URLs. The malware sequentially attempts to connect to each URL until a successful handshake is achieved.
Upon establishing contact, it generates a random username and password for the SOCKS5 proxy session. It transmits build metadata, including buildVersion, md5, and userId parameters, alongside an x-api-key header in an HTTP request.
A 200 OK response from the C2 server triggers the instantiation of a SOCKS5 listener on the compromised host, converting the victim machine into a proxy node under the attacker’s control.
GhostSocks does not embed its own persistence mechanism; it relies on auxiliary malware, such as LummaStealer, to maintain long-term footholds and redeploy proxies after system reboots.
GhostSocks experienced a significant increase in usage following a February 2024 partnership with LummaStealer, which enabled clients of the infostealer to deploy proxy functionality seamlessly after data theft.
This collaboration was confirmed in leaked BlackBasta ransomware chat logs from February 2025, which documented discussions about leveraging GhostSocks to sustain network access and route exfiltrated data through compromised proxies.
Despite law enforcement actions against the XSS forum and disruptions to LummaStealer infrastructure, GhostSocks continues active development, issuing weekly updates and maintaining support channels on alternative platforms.
To defend against GhostSocks deployments, organizations should continuously update firewall policies to block outbound connections to known GhostSocks relay IPs and regularly monitor for unusual SOCKS5 traffic, which is rare in enterprise environments.
Zero Trust network controls must be enforced, avoiding reliance on IP reputation alone and ensuring that device posture and user authentication are thoroughly validated before granting network access.
By recognizing the dual exploitation model of GhostSocks’ initial infection followed by proxy monetization, security teams can implement targeted detection and prevention measures to mitigate this emerging threat.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
