{ "name": "GhostSocks - Partner In Proxy", "slug": "ghostsocks-partner-in-proxy", "description": "GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic through infected systems. The malware's integration with Lumma, including automatic provisioning and discounted pricing, enhances post-infection capabilities for credential abuse and anti-fraud bypassing. GhostSocks contains additional backdoor functionality, such as arbitrary command execution and credential modification. Its C2 infrastructure largely operates on VDSina (AS216071), a Russian-speaking server provider. The malware exemplifies the commodification of SOCKS5 backconnect malware in the criminal ecosystem, posing a significant threat to financial institutions and high-value targets.", "published": "2025-02-25T12:58:05+00:00", "created_at": "2025-02-25T12:58:05+00:00", "modified_at": "2025-02-25T13:43:32+00:00", "created_at_opencti": "2025-02-25T12:58:05+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-02-25", "anti-fraud bypass", "backconnect proxy", "c2 infrastructure", "credential abuse", "ghostsocks", "golang", "lummac2", "malware-as-a-service", "socks5", "vdsina" ], "related_entities": { "observables": [ { "id": "", "name": "77.238.245.11" }, { "id": "", "name": "38.180.61.247" }, { "id": "", "name": "212.34.130.72" }, { "id": "", "name": "195.200.31.22" }, { "id": "", "name": "195.200.28.33" }, { "id": "", "name": "185.21.13.144" }, { "id": "", "name": "185.157.213.253" }, { "id": "", "name": "185.245.106.67" }, { "id": "", "name": "185.121.233.152" }, { "id": "", "name": "46.8.236.61" }, { "id": "", "name": "46.8.232.106" }, { "id": "", "name": "91.142.74.28" }, { "id": "", "name": "77.238.245.233" }, { "id": "", "name": "77.238.224.56" }, { "id": "", "name": "195.2.70.38" }, { "id": "", "name": "c92b21bdb91fe4c0590212e650212528a1f608a2ea086ce5eb5ac6d05edc41f7" }, { "id": "", "name": "86362ac6d972b1b55f1f434811d014316196f0e193878d8270dae939efb25908" } ], "malware": [ { "id": "legacy:malware:5571dfa55a94e4fa", "name": "GhostSocks", "slug": "ghostsocks" }, { "id": "legacy:malware:37dce7f2f14d48d9", "name": "LummaC2", "slug": "lummac2" } ], "attack_patterns": [ { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Finance" } ] }, "external_refs": [ "https://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy", "https://otx.alienvault.com/pulse/67bdcc6d3e9fb0c20b7b2299" ] }