GhostSocks is an emerging malware threat designed to transform infected devices into residential proxy nodes, facilitating attackers to route traffic through these compromised hosts and thereby evade detection and attribution. Marketed initially as Malware-as-a-Service on Russian underground forums, GhostSocks has gained traction particularly due to its operational partnership with Lumma Stealer, a known information stealer malware. The malware is developed in GoLang, which provides cross-platform capabilities and ease of deployment. GhostSocks leverages the SOCKS5 proxy protocol combined with TLS encryption to disguise malicious command-and-control (C2) traffic as legitimate network activity, complicating network-based detection efforts. Beyond proxy functionality, it incorporates backdoor capabilities allowing threat actors to execute arbitrary commands and deploy additional payloads, increasing its versatility and persistence on infected systems. Darktrace's telemetry indicates a rise in GhostSocks activity, often detected in conjunction with Lumma Stealer infections, suggesting coordinated campaigns. The malware's ability to covertly convert devices into proxy nodes enables attackers to maximize the utility of compromised infrastructure for anonymizing their operations, conducting further intrusions, or launching secondary attacks. Indicators of compromise include several file hashes, IP addresses, and domains associated with the malware's infrastructure. Although no known public exploits are reported, the malware's stealth and multi-functional nature pose significant challenges to defenders.

Organizations worldwide face increased risks from GhostSocks due to its capability to covertly turn infected devices into proxy nodes, which can be exploited to anonymize attacker traffic and evade detection. This can lead to prolonged undetected intrusions, data exfiltration, and lateral movement within networks. The partnership with Lumma Stealer amplifies the threat by combining data theft with stealthy network proxying, potentially resulting in significant data breaches and operational disruption. The use of TLS encryption and SOCKS5 protocol complicates network monitoring and intrusion detection, increasing the likelihood of successful attacks. Additionally, the backdoor functionality allows attackers to deploy further malicious payloads, escalating the threat level. The malware’s presence can degrade device performance and network reliability, and compromised devices may be used to facilitate attacks against other targets, implicating victim organizations in broader malicious activities. The stealthy nature of GhostSocks increases incident response complexity and remediation costs, potentially impacting organizations’ reputation and regulatory compliance.

To mitigate GhostSocks infections, organizations should implement advanced network traffic analysis capable of detecting anomalous SOCKS5 proxy usage and TLS traffic patterns inconsistent with normal operations. Deploy endpoint detection and response (EDR) solutions with behavioral analytics to identify suspicious process activities, especially those related to proxy services and backdoor command execution. Regularly update and patch all systems and software to reduce the attack surface, even though no specific patches exist for GhostSocks itself. Employ network segmentation to limit lateral movement and restrict outbound proxy connections to known and trusted services only. Monitor for the provided indicators of compromise (hashes, IPs, domains) and integrate them into intrusion detection systems and threat intelligence platforms. Conduct thorough incident response drills focusing on stealthy proxy malware and backdoor detection. Educate users about phishing and social engineering tactics that may lead to initial infection, as GhostSocks is often distributed alongside other malware like Lumma Stealer. Finally, consider deploying deception technologies to detect and disrupt proxy-based malware operations within the network.