GhostSocks Turns Victim Systems Into Residential Proxies for Evasive Cyberattacks

A new malware called GhostSocks has been quietly spreading through compromised systems, turning home and office devices into residential proxies that threat actors use to conceal their malicious traffic.

Unlike traditional malware that simply steals data or locks files, GhostSocks hijacks the victim’s internet connection to make attacker traffic appear as though it is coming from a regular household user.

This makes it far harder for security tools to flag the activity as suspicious, giving attackers a clear advantage.

GhostSocks was first marketed on xss[.]is, a well-known Russian underground cybercrime forum, as a Malware-as-a-Service (MaaS) offering, meaning any criminal willing to pay can rent access without building it themselves.

Written in GoLang, it uses the SOCKS5 proxy protocol to create a covert communication channel on infected devices, while a relay-based command-and-control (C2) architecture places an intermediary server between the attacker’s real C2 infrastructure and the compromised machine.

It wasn’t until 2024, when GhostSocks announced a partnership with the notorious Lumma Stealer — a widely used information-stealing malware — that its adoption surged sharply across the threat landscape.

Darktrace analysts identified a steady rise in GhostSocks activity across its customer base from late 2025, with multiple incidents documented in detail.

In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer within an education sector customer’s network, confirming the partnership between the two malware families remains active despite recent efforts to disrupt Lumma’s infrastructure.

GhostSocks is particularly dangerous because it serves multiple criminal purposes at once. Beyond routing attacker traffic through residential connections, it also includes a backdoor component that allows operators to run arbitrary commands and deploy additional malicious payloads on infected systems.

The ransomware group Black Basta reportedly used GhostSocks to maintain long-term, covert access to victim networks — making it a full-access enabler, not just a proxy tool.

The threat extends well beyond any single organization. Both cybercriminal groups and state-sponsored actors increasingly rely on residential proxies to bypass IP-based detection tools, and GhostSocks delivers exactly this kind of cover at scale.

As long as threat actors can rebuild infrastructure rapidly and maintain anonymity through proxy nodes, this malware will remain a persistent risk.

How GhostSocks Evades Detection

GhostSocks is built with evasion as a central design feature. The malware wraps its SOCKS5 tunnels in Transport Layer Security (TLS) encryption, allowing its traffic to blend into normal encrypted network communications and making it difficult for signature-based tools to identify it through traffic patterns alone.

In the December 2025 incident, the first warning sign came when a device began connecting to an endpoint using a suspicious self-signed SSL certificate never seen on that network before.

The endpoint, retreaw[.]click (159.89.46[.]92), was flagged by multiple open-source intelligence (OSINT) sources as part of Lumma Stealer’s C2 infrastructure.

Within two minutes, the same device downloaded an executable file named “Renewable.exe” from IP 86.54.24[.]29, confirmed by multiple OSINT vendors as a GhostSocks-linked payload.

Two days later, additional payloads including “Setup.exe” and “/vp6c63yoz.exe” were downloaded from www.lbfs[.]site, followed by C2 beaconing to multiple rare external endpoints. 

Later GhostSocks versions achieve persistence through Windows registry run keys, ensuring the proxy stays active even after a system reboot — a capability absent in earlier variants, reflecting active ongoing development.

Security teams should closely monitor connections to rare external endpoints using self-signed SSL certificates, as this was the first detectable warning in documented cases.

Enabling automated response capabilities is strongly advised, since manual confirmation modes delayed containment in the reported attack.

Keeping indicators of compromise current — including SHA1 file hashes and hostnames such as retreaw[.]click, www.lbfs[.]site, and 86.54.24[.]29 — alongside enforcing strict outbound traffic controls, can limit the malware’s ability to establish sustained C2 communications.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.