GhostSocks: From Initial Access to Residential Proxy
Essential information
- Published
- 01/10/2025 07:39
- Modified
- 01/10/2025 09:14
- Tags
- 2025-10-01 blackbasta c2 double victimization ghostsocks golang lummastealer maas obfuscation residential proxy socks5
- Related entities
- 12 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 1 others
Description
GhostSocks is a Malware-as-a-Service (MAAS) that converts compromised devices into residential proxies, enabling threat actors to bypass anti-fraud mechanisms. Introduced in October 2023, it gained popularity after partnering with LummaStealer in February 2024. The malware, coded in Golang, uses obfuscation techniques and can be built as a 32-bit DLL or executable. It doesn't implement persistence mechanisms but focuses on SOCKS5 functionality. GhostSocks uses a configuration file or hardcoded config to connect to C2 servers, randomly generates credentials, and establishes a SOCKS5 connection using open-source libraries. Despite law enforcement actions against related platforms, GhostSocks continues to operate, posing ongoing risks of double victimization and long-term network access for cybercriminals.