{ "name": "GhostSocks: From Initial Access to Residential Proxy", "slug": "ghostsocks-from-initial-access-to-residential-proxy", "description": "GhostSocks is a Malware-as-a-Service (MAAS) that converts compromised devices into residential proxies, enabling threat actors to bypass anti-fraud mechanisms. Introduced in October 2023, it gained popularity after partnering with LummaStealer in February 2024. The malware, coded in Golang, uses obfuscation techniques and can be built as a 32-bit DLL or executable. It doesn't implement persistence mechanisms but focuses on SOCKS5 functionality. GhostSocks uses a configuration file or hardcoded config to connect to C2 servers, randomly generates credentials, and establishes a SOCKS5 connection using open-source libraries. Despite law enforcement actions against related platforms, GhostSocks continues to operate, posing ongoing risks of double victimization and long-term network access for cybercriminals.", "published": "2025-10-01T05:39:51+00:00", "created_at": "2025-10-01T05:39:51+00:00", "modified_at": "2025-10-01T07:14:12+00:00", "created_at_opencti": "2025-10-01T05:39:51+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-10-01", "blackbasta", "c2", "double victimization", "ghostsocks", "golang", "lummastealer", "maas", "obfuscation", "residential proxy", "socks5" ], "related_entities": { "observables": [ { "id": "", "name": "91.212.166.9" }, { "id": "", "name": "147.45.196.157" }, { "id": "", "name": "86.54.24.25" }, { "id": "", "name": "91.212.166.91" }, { "id": "", "name": "46.8.236.61" }, { "id": "", "name": "46.8.232.106" }, { "id": "", "name": "http://46.8.232.106:30001/api/helper-first-register?buildVersion=0pTk.PWh2DyJ&md5=&proxyPassword=&proxyUsername=&userId=" }, { "id": "", "name": "https://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy" }, { "id": "", "name": "proton66.ru" }, { "id": "", "name": "f52fa1b8be929a42aafab8f0a80932e52b949ee35498f22b6d58e5e6ed107b99" }, { "id": "", "name": "cda5f18be615ad27e0477c6d249d245d368ac1de81ee48239a3e39814345c04d" }, { "id": "", "name": "b4709cfb8f9cf0eaabe16ab218d60a0e64c3fa568d42fcac51f867e1d2cdc1fe" } ], "malware": [ { "id": "legacy:malware:5571dfa55a94e4fa", "name": "GhostSocks", "slug": "ghostsocks" }, { "id": "legacy:malware:22cebae9fb28ad81", "name": "LummaStealer", "slug": "lummastealer" } ], "intrusion_sets": [ { "id": "77f2294e-b9e2-4ad2-bd56-e596038b7589", "name": "GhostSocks", "slug": "ghostsocks" } ], "attack_patterns": [ { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "88fa397b-4cc9-42c0-b52d-4108f9630529", "name": "T1095" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "b6e505a1-fadb-491a-b4f1-151443fdc8c3", "name": "T1001" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Russian Federation" } ] }, "external_refs": [ "https://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy", "https://otx.alienvault.com/pulse/68dcdac7d51c7b3b85ad7372" ] }