GhostSocks - New Malware Turns Devices Into Proxies
.webp)
Basically, GhostSocks is malware that turns your device into a tool for hackers.
GhostSocks malware is turning compromised devices into residential proxies for cybercriminals. This stealthy tactic poses serious risks for users and organizations alike. Security teams must act swiftly to mitigate potential threats.
What Happened
A new malware known as GhostSocks has emerged, quietly infiltrating both home and office systems. This malware transforms compromised devices into residential proxies, allowing cybercriminals to route their malicious traffic through these systems. Unlike traditional malware that focuses on stealing data or locking files, GhostSocks hijacks the victim's internet connection, making it appear as though the attacker's traffic is coming from a regular user. This stealthy approach makes it significantly harder for security tools to detect suspicious activity.
GhostSocks was first advertised on a well-known Russian underground forum as a Malware-as-a-Service (MaaS). This means that any criminal willing to pay can access it without needing to create their own version. Written in GoLang, it utilizes the SOCKS5 proxy protocol to establish covert communication channels on infected devices. The malware's architecture includes a relay-based command-and-control (C2) system, which complicates tracking efforts by security teams.
Who's Being Targeted
The threat posed by GhostSocks is not limited to a single organization; it affects a wide range of sectors. Cybercriminals and state-sponsored actors are increasingly leveraging residential proxies to bypass IP-based detection tools. The malware has been linked to various high-profile cybercriminal groups, including the notorious Black Basta ransomware group, which has used GhostSocks to maintain long-term access to victim networks.
The rise of GhostSocks is particularly alarming because it serves multiple criminal purposes. It not only routes attacker traffic but also includes a backdoor component, enabling operators to execute arbitrary commands and deploy additional malicious payloads. This multifaceted capability makes it a powerful tool for attackers, enhancing their ability to infiltrate and exploit networks.
Signs of Infection
Detecting GhostSocks can be challenging due to its design, which emphasizes evasion. The malware wraps its SOCKS5 tunnels in Transport Layer Security (TLS) encryption, allowing its traffic to blend in with normal encrypted network communications. This makes it difficult for traditional signature-based tools to identify malicious behavior based solely on traffic patterns.
In December 2025, Darktrace analysts documented a significant incident involving GhostSocks. The first warning sign was a device connecting to an endpoint using a suspicious self-signed SSL certificate. This endpoint was flagged by multiple OSINT sources as part of Lumma Stealer's C2 infrastructure, indicating a potential link between the two malware families. Following this, the device downloaded several malicious payloads, confirming the presence of GhostSocks.
How to Protect Yourself
To defend against GhostSocks, security teams should closely monitor connections to rare external endpoints using self-signed SSL certificates. This proactive approach can help in early detection of the malware. Additionally, enabling automated response capabilities is crucial, as manual confirmation modes can delay containment efforts.
Keeping indicators of compromise up to date, including file hashes and known hostnames associated with GhostSocks, is essential. Enforcing strict outbound traffic controls can also limit the malware's ability to establish sustained C2 communications. As cybercriminals continue to adapt and evolve their tactics, vigilance and proactive measures are key to mitigating the risks associated with GhostSocks.