GhostSocks Hijacks Devices as Proxy Network for Stealthy Cyberattacks

A recently identified malware strain known as GhostSocks is fundamentally altering attack tactics by transforming compromised devices into residential proxy nodes to evade detection.

Modern cyberattacks depend heavily on blending malicious activity into normal network traffic. By routing attacks through legitimate home IP addresses as residential proxies, threat actors mask the origin of their traffic, making it appear to come from ordinary users instead of suspicious infrastructure.

This strategy successfully bypasses traditional IP-based detection, geographic restrictions, and anomaly-based security tools.

Security researchers at Darktrace have documented a significant increase in its deployment, particularly alongside the Lumma Stealer information-stealing malware, signaling a broader shift towards stealth-focused attack infrastructure and long-term persistence.

As a result, residential proxy services have become critical infrastructure, utilized not only by traditional cybercriminals but increasingly by advanced, state-sponsored threat groups. GhostSocks has emerged as a key enabler, converting infected devices into nodes within this proxy ecosystem.

What Is GhostSocks?

GhostSocks first surfaced on the Russian underground forum xss[.] as a Malware-as-a-Service (MaaS) offering. Its function is to hijack victim devices and exploit their internet bandwidth to relay malicious traffic.

Written in GoLang, the malware establishes SOCKS5 proxy connections on infected systems. It employs a relay-based command-and-control (C2) architecture, featuring an intermediary server between the attacker and the compromised device.

Usage surged dramatically in 2024 following its integration with Lumma Stealer, a prevalent information-stealing malware, dramatically expanding GhostSocks’ operational scope and reach.

Darktrace’s Cyber AI Analyst mapped these events into a single attack chain, linking initial suspicious connections, malware downloads, and subsequent beaconing activity.

 Darktrace’s detection of additional malicious file downloads from malicious CloudFront endpoints (Source : Darktrace).
Darktrace’s detection of additional malicious file downloads from malicious CloudFront endpoints (Source : Darktrace).

GhostSocks prioritizes stealth. It encrypts its SOCKS5 communications with TLS, allowing malicious traffic to blend seamlessly with legitimate encrypted network activity.

Earlier variants lacked persistence, but newer versions use registry run keys to maintain access after system reboots.

Beyond acting as a proxy, GhostSocks also functions as a backdoor, allowing attackers to execute commands and deploy additional payloads. This capability has attracted ransomware groups like Black Basta, which have reportedly leveraged GhostSocks to maintain long-term access within compromised networks.

Darktrace Detection Insights

Darktrace detected a growing GhostSocks presence across multiple environments starting in late 2025.

In one December 2025 incident involving an educational institution, an initial connection to a suspicious endpoint (159.89.46[.]92, retreaw[.]click) linked to Lumma Stealer infrastructure triggered alarms.

Darktrace’s detection of a device downloading the unusual executable file “Renewable.exe” (Source : Darktrace).
Darktrace’s detection of a device downloading the unusual executable file “Renewable.exe” (Source : Darktrace).

Within minutes, the device downloaded an unusual executable named “Renewable.exe” from 86.54.24[.]29. Intelligence sources later confirmed this file’s association with GhostSocks.

While Darktrace’s Autonomous Response system flagged the activity and suggested blocking the connection, the required manual approval was delayed. This delay allowed the attack to progress.

Darktrace’s Autonomous Response capability suggesting blocking the suspicious connections to the unusual endpoint from which the malicious executable was downloaded (Source : Darktrace).
Darktrace’s Autonomous Response capability suggesting blocking the suspicious connections to the unusual endpoint from which the malicious executable was downloaded (Source : Darktrace).

Over subsequent days, the compromised device downloaded additional payloads from domains like www.lbfs[.]site and a malicious CloudFront URL, indicating broader deployment beyond the initial infection.

These downloads included multiple suspicious executables, signaling an expanded attack.

Soon after, the device began making repeated outbound connections to rare external endpoints, behavior consistent with early-stage command-and-control beaconing.

By analyzing patterns in real time, Darktrace’s platform provided a comprehensive view of the compromise, enabling faster investigation and response.

Its continued use alongside Lumma Stealer illustrates that even when parts of attacker infrastructure are disrupted, threat actors can quickly rebuild and adapt.

Darktrace also recommended enforcing a “pattern of life” model to restrict the device’s behavior to normal activity, helping contain the threat without fully disrupting operations.

GhostSocks demonstrates how attackers maximize the value of compromised systems. By transforming victims into residential proxy nodes, they achieve anonymity, persistence, and a scalable infrastructure for future attacks.

As residential proxy abuse grows, organizations will need more proactive, AI-driven defenses to detect subtle behavioral anomalies rather than relying solely on traditional indicators.

Related Articles

Back to top button