GhostSocks
GhostSocks, a Golang-based proxy malware, was first advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in October 2023. It uses back-connect socket secure internet protocol (SOCKS5) connections and is available for rent for US $100 per month. In February 2024, the author of Lumma Stealer released an update introducing the integration of proxying capabilities. This feature, developed in partnership with GhostSocks, allows the use of infected hosts as SOCKS5 proxies and is available to all subscribers who purchase the "Professional" or higher tier plan. This integration allows Lumma Stealer users to establish a network of residential IP addresses for various purposes, including credential checking, spam distribution, or as general-purpose proxies.
Last 7 days
| Date | C2 Hosts |
|---|---|
| Mar 14, 2026 | 2 |
Further Reading
Discover how LummaC2 has evolved with new stealth tactics, enhanced theft capabilities & novel evasion techniques in our latest SpyCloud Labs analysis.
SpyCloud Labs uncovers how LummaC2 uses GhostSocks to enable stealthy backconnect proxy access, helping attackers bypass controls and refresh tokens.
This blog post explores the Malware as a Service (MAAS) ecosystem and its adoption of GhostSocks the proxy based malware.
Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as the legitimate M...
Rapid7 identified multiple intrusion attempts by threat actors utilizing TTPs that are consistent with an ongoing social engineering campaign being tracked.
Discover how Zloader 2.9.4.0 implemented a custom DNS tunneling protocol combined with TLS encryption to evade network detection.