JFrog’s security research team has identified a malicious PyPI package named SoopSocks that masquerades as a legitimate SOCKS5 proxy utility while stealthily implanting a backdoor on Windows systems.
This package leverages automated installation, advanced persistence techniques, and real-time network reconnaissance to establish a covert egress channel, putting organizational networks at significant risk.
While monitoring PyPI repositories for supply-chain threats, JFrog researchers flagged SoopSocks (XRAY-725599) due to its unusually broad privileges and the inclusion of an embedded Discord webhook URL.
Although advertised as a simple tool to spin up a SOCKS5 proxy and report server details to a webhook, deeper analysis revealed that SoopSocks functions as a weaponized backdoor proxy, enabling attackers to funnel traffic through compromised hosts.
Evolution of SoopSocks Versions
– v0.1.0–v0.1.2: Introduced a basic Python-based SOCKS5 server.
– v0.2.0–v0.2.4: Bundled _autorun.exe
and Windows service support compiled from Go.
– v0.2.5–v0.2.6: Added legacy VBScript (_autorun.vbs
) deployment mechanisms.
– v0.2.7: Consolidated to a single executable installer, streamlining the attack vector.
SoopSocks propagates through three primary methods:
1. _autorun.exe
(Primary Vector)
A Go-compiled PE32+ executable that hides its window, sets PowerShell execution policy to Bypass, suppresses errors, and executes scripts to install itself as “SoopSocksSvc” under C:Program Filessocks5svcsocks5svc.exe
. This service runs with SYSTEM privileges and opens TCP/UDP port 1080 via Windows Firewall rules.
2. _autorun.vbs
(Legacy Vector)
Versions 0.2.5 and 0.2.6 use a VBScript that downloads a portable Python distribution, creates a PowerShell bootstrap script, elevates via UAC, and installs SoopSocks silently in %TEMP%
before launching it.
3. Direct Python Module Installation
Users installing via pip install soopsocks pywin32
trigger built-in persistence: service installation, firewall rule configuration, and scheduled task fallback.
Persistence and Privilege Escalation
SoopSocks ensures survival and stealth through:
- Windows Service: Runs automatically with SYSTEM privileges.
- Scheduled Task: “SoopSocksAuto” triggers on startup and logon if service installation fails.
- UAC Bypass: Automated PowerShell elevation to bypass policy restrictions.
- Firewall Rules: Automatic creation of inbound TCP/UDP rules on port 1080.
Once installed, SoopSocks not only relays arbitrary TCP and UDP traffic but also collects detailed network telemetry:
- LAN and Public IP Discovery via local route inspection and HTTP APIs.
- STUN Protocol usage for NAT traversal fingerprinting.
- Host Profiling, including Internet Explorer security settings and Windows install date.
Every 30 seconds, the package sends a JSON embed to the hardcoded Discord webhook, containing fields for hostname, local and public IP addresses, and connection type—providing attackers continuous insight into the network egress.
Technical Deep Dive
The Go executable mirrors the Python source code structure (main
, socks5/internal/*
modules) and relies on github.com/kardianos/service
for Windows service management. Key components include:
SERVER.PY
/ Go proxy module: Implements RFC-1928 CONNECT and UDP ASSOCIATE commands without authentication.CLI.PY
/ Orchestration scripts: Manages firewall rules, service installation, and scheduled tasks.DISCORD.PY
/ C2 module: Formats and dispatches network telemetry to Discord.EGRESS.PY
/ Recon module: Aggregates IP and NAT data.FIREWALL.PY
: Automates rule creation via PowerShell ornetsh
.
Mitigations
Organizations should audit Python dependencies for unexpected webhook URLs or privileged operations. Implement strict whitelisting on code repositories, enforce least privilege for service installs, and monitor outbound connections to Discord and uncommon hostnames.
Disabling automatic Python module installs via VBScript and restricting PowerShell execution policies can further reduce attack surface.
SoopSocks exemplifies how open-source packages can be weaponized against Windows environments, underscoring the critical need for continuous supply-chain vigilance and runtime monitoring of proxy deployments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.