GhostSocks is a Malware-as-a-Service (MaaS) platform first identified in October 2023 that transforms compromised devices into residential proxies. Written in Golang, GhostSocks is designed to facilitate threat actors in bypassing anti-fraud and security mechanisms by routing malicious traffic through infected endpoints, effectively masking their origin. The malware can be deployed as either a 32-bit DLL or executable and employs obfuscation techniques to evade detection. Unlike many malware strains, GhostSocks does not implement persistence mechanisms, indicating its focus is on transient proxy functionality rather than long-term system control. It establishes SOCKS5 proxy connections using open-source libraries, with credentials randomly generated per session. Configuration is managed via either a configuration file or hardcoded parameters that direct the malware to command and control (C2) servers. GhostSocks gained traction after partnering with LummaStealer in February 2024, a credential-stealing malware, which likely aids in initial access or credential harvesting. Despite law enforcement efforts against related platforms, GhostSocks remains active, posing risks of double victimization where infected devices are used both as victims and as tools for further attacks. The malware’s ability to convert devices into residential proxies enables cybercriminals to maintain long-term network access and complicates attribution and blocking efforts by leveraging legitimate residential IP addresses. Indicators of compromise include multiple IP addresses and file hashes linked to the malware, as well as domains and URLs used for C2 communication and registration. The malware’s tactics align with several MITRE ATT&CK techniques such as obfuscation (T1027), command and control over SOCKS proxies (T1090), and credential dumping or stealing (T1219).

For European organizations, GhostSocks presents a multifaceted threat. Infected devices within corporate or home networks can be covertly repurposed as proxies, enabling attackers to route malicious traffic through legitimate European IP addresses, thereby bypassing geo-restrictions and anti-fraud systems commonly used in financial services, e-commerce, and governmental sectors. This can facilitate fraud, data exfiltration, and further lateral movement within networks. The lack of persistence means infections may be transient but can recur if initial access vectors remain unmitigated. The partnership with LummaStealer suggests that credential theft is a component of the attack chain, increasing risks of account compromise and unauthorized access to sensitive systems. Additionally, the use of residential proxies complicates incident response and attribution, potentially delaying detection and remediation. The risk of double victimization means that organizations may suffer both direct compromise and indirect harm through their devices being used in broader criminal infrastructures. This can damage reputation, incur regulatory penalties under GDPR for inadequate security, and lead to financial losses from fraud or operational disruption.

European organizations should implement targeted mitigations beyond generic advice: 1) Monitor network traffic for unusual SOCKS5 proxy activity, especially outbound connections to known C2 IPs and domains associated with GhostSocks. 2) Employ endpoint detection and response (EDR) solutions capable of detecting Golang-based malware and obfuscation patterns. 3) Harden initial access vectors by enforcing multi-factor authentication, especially to prevent credential theft facilitated by LummaStealer. 4) Regularly audit and restrict proxy and tunneling protocols within corporate networks to prevent unauthorized proxy usage. 5) Conduct threat hunting exercises focusing on the identified IoCs such as specific IP addresses, hashes, and domain names. 6) Educate users about phishing and credential theft risks to reduce infection likelihood. 7) Implement network segmentation to limit lateral movement and isolate infected devices quickly. 8) Collaborate with ISPs and law enforcement to report and mitigate proxy abuse originating from residential IPs. 9) Maintain updated threat intelligence feeds to detect emerging variants or related malware campaigns. 10) Since GhostSocks does not persist, rapid detection and remediation of infected hosts can effectively reduce impact.