GhostSocks - Partner In Proxy

SUMMARY :

GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic through infected systems. The malware's integration with Lumma, including automatic provisioning and discounted pricing, enhances post-infection capabilities for credential abuse and anti-fraud bypassing. GhostSocks contains additional backdoor functionality, such as arbitrary command execution and credential modification. Its C2 infrastructure largely operates on VDSina (AS216071), a Russian-speaking server provider. The malware exemplifies the commodification of SOCKS5 backconnect malware in the criminal ecosystem, posing a significant threat to financial institutions and high-value targets.

OPENCTI LABELS :

golang,lummac2,malware-as-a-service,c2 infrastructure,socks5,ghostsocks,credential abuse,anti-fraud bypass,backconnect proxy,vdsina


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


GhostSocks - Partner In Proxy