Back

GhostSocks Malware: A Growing Threat Utilizing Residential Proxies

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Gbhackers, Darktrace

Summary

GhostSocks is a malware that transforms compromised devices into residential proxies, enabling attackers to bypass IP detection tools. Originally marketed as Malware-as-a-Service on a Russian underground forum, it gained notoriety for its ability to blend malicious traffic with normal activity. The malware operates using the SOCKS5 proxy protocol and employs TLS encryption to conceal its communications. Its partnership with Lumma Stealer in 2024 significantly increased its adoption among threat actors. Darktrace has reported a rise in GhostSocks activity since late 2025, with multiple incidents detected across various sectors, including education. The malware also has backdoor capabilities, allowing attackers to execute commands and deploy additional payloads. Notably, ransomware group Black Basta has utilized GhostSocks for maintaining long-term access to victim networks. The current status indicates ongoing activity and a persistent threat to organizations. Key Points: • GhostSocks malware turns compromised devices into residential proxies, evading detection. • It has been linked to the Lumma Stealer, enhancing its operational capabilities. • Darktrace has observed a significant increase in GhostSocks incidents since late 2025.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • d2ihv8ymzp14lr.cloudfront.net (domain)
  • Education (company)
  • GhostSocks (malware)
  • Lumma Stealer (malware)
  • T1071.001 - Web Protocols (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1095 - Non-Application Layer Protocol (mitre_attack)
  • T1102 - Web Service (mitre_attack)
  • T1112 - Modify Registry (mitre_attack)
  • CloudFront (platform)
  • Golang (platform)
  • Black Basta (ransomware_group)
  • 10f928e00a1ed0181992a1e4771673566a02f4e3 (sha1)
  • 3d9d7a7905e46a3e39a45405cb010c1baa735f9e (sha1)
  • 9b90c62299d4bed2e0752e2e1fc777ac50308534 (sha1)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed