A newly emerging malware known as GhostSocks is quietly reshaping how attackers evade detection by converting compromised systems into residential proxy nodes.
Modern cyberattacks rely heavily on blending into normal network traffic. Residential proxies allow attackers to route malicious activity through legitimate home IP addresses, making it appear as if traffic originates from ordinary users rather than suspicious infrastructure.
This approach helps bypass traditional IP-based detection systems, geographic restrictions, and anomaly detection tools.
Security researchers at Darktrace have observed a steady rise in its use, particularly alongside Lumma Stealer, highlighting a broader shift toward stealth-driven attack infrastructure and long-term persistence.
As a result, residential proxy services have become essential not only for cybercriminal groups but also for more advanced, state-linked threat actors. GhostSocks has emerged as a key enabler in this space by turning infected devices into part of this proxy ecosystem.
What Is GhostSocks?
GhostSocks first appeared on the Russian underground forum xss[.] as a Malware-as-a-Service (MaaS) offering. It allows attackers to hijack victim devices and use their internet bandwidth to relay malicious traffic.
Written in GoLang, the malware establishes SOCKS5 proxy connections on infected systems. It uses a relay-based command-and-control (C2) architecture, where an intermediary server sits between the attacker and the compromised device.
Its adoption surged in 2024 after its integration with Lumma Stealer, a widely used information-stealing malware. This partnership significantly expanded GhostSocks’ reach and operational use.
Darktrace’s Cyber AI Analyst correlated these events into a single attack chain, linking initial suspicious connections, malware downloads, and subsequent beaconing activity.
GhostSocks is designed for stealth. It wraps its SOCKS5 communications in TLS encryption, allowing malicious traffic to blend in with legitimate encrypted network activity.
Earlier variants lacked persistence, but newer versions use registry run keys to maintain access after system reboots.
Beyond proxying, GhostSocks also functions as a backdoor, enabling attackers to execute commands and deploy additional payloads.
This capability has attracted ransomware groups such as Black Basta, which have reportedly used GhostSocks to maintain long-term access within compromised networks.
Darktrace Detection Insights
Darktrace identified increasing GhostSocks activity across multiple environments starting in late 2025.
In one December 2025 incident involving an educational institution, the attack began with a device connecting to a suspicious endpoint (159.89.46[.]92, retreaw[.]click) linked to Lumma Stealer infrastructure.
Within minutes, the device downloaded an unusual executable named “Renewable.exe” from 86.54.24[.]29. The file was later confirmed by multiple intelligence sources as associated with GhostSocks.
Although Darktrace’s Autonomous Response system flagged the activity and recommended blocking the connection, mitigation required manual approval. This delay allowed the attack to progress.
Over the following days, the compromised device downloaded additional payloads from domains such as www.lbfs[.]site and a malicious CloudFront URL.
These downloads included multiple suspicious executables, indicating broader payload deployment beyond the initial infection.
Soon after, the device began making repeated outbound connections to rare external endpoints, behavior consistent with early-stage C2 beaconing.
By analyzing patterns in real time, it provided a comprehensive view of the compromise, enabling faster investigation and response.
Its continued use alongside Lumma Stealer shows that even when parts of attacker infrastructure are disrupted, threat actors can quickly rebuild and adapt.
The platform also recommended enforcing a “pattern of life” model to restrict the device’s behavior to normal activity, helping contain the threat without fully disrupting operations.
GhostSocks demonstrates how attackers are maximizing the value of compromised systems. By turning victims into residential proxy nodes, they gain anonymity, persistence, and a scalable infrastructure for future attacks.
As residential proxy abuse grows, organizations will need more proactive, AI-driven defenses to detect subtle behavioral anomalies rather than relying solely on traditional indicators.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
