{
	"id": "a8b3cbf6-d20a-4a88-8b9f-742d73761b20",
	"created_at": "2026-04-06T00:14:49.855075Z",
	"updated_at": "2026-04-10T13:13:07.361942Z",
	"deleted_at": null,
	"sha1_hash": "4663949ea7080694560c0ed4b8c72183d5ed0c40",
	"title": "GhostSocks: From Initial Access to Residential Proxy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5862013,
	"plain_text": "GhostSocks: From Initial Access to Residential Proxy\r\nBy Synthient Research\r\nPublished: 2025-09-30 · Archived: 2026-04-02 10:52:13 UTC\r\nOverview\r\nOn October 15th, 2023, a threat actor going by the handle GhostSocks would make a sales post on the Russian\r\ncybercrime forum xss[.]is selling GhostSocks. The thread detailed a new Malware-as-a-service (MAAS) that\r\nenables threat actors to convert compromised devices into residential proxies. The post then promoted the\r\nMAAS's ability to bypass anti-fraud mechanisms, allowing threat actors to capitalize on the victim's machine.\r\nFig 1. GhostSocks Sales Thread\r\nTranslation:\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 1 of 10\n\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 2 of 10\n\nFig 1.1 GhostSocks Sales Thread\r\nFurther posts would showcase the panel, highlighting its ability to create builds and manage proxies. In addition to\r\nposts showcasing the product, the thread would consist of weekly developer updates and customer reviews.\r\nFig 2. A look into GhostSocks Panel\r\nGhostSocks would see a wide range of usage, from ransomware gangs to low-level cybercrime, as supported by\r\nthe BlackBasta chat logs leak in February 2025. The chat logs highlighted the ransomware gang's interest in\r\nmaintaining long-term network access, with discussion of using GhostSocks in combination with Lumma Stealer.\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 3 of 10\n\nFig 3. Leaked BlackBasta chat logs and their discussion of GhostSocks\r\nGhostSocks' would largely not see widespread adoption until February 2024 after an announced partnership with\r\nLummaStealer. In this partnership, Lumma clients could install GhostSocks and steal user data, allowing them to\r\nfurther monetize the compromised device even post infection.\r\nFig 4. Partnership posts from both ends, source: https://x.com/g0njxa/status/1754630820650696875\r\nGhostSocks continues to see ongoing activity even with Law Enforcement's disruption of LummaStealer.\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 4 of 10\n\nAnalysis\r\nGhostSocks provides clients with the ability to build a 32 bit DLL or executable. Both binaries are coded in\r\nGolang, with GhostSocks leveraging the open source garble project to obfuscate strings and symbols. These\r\nstrings are decrypted at runtime by calling a decrypt routine before usage.\r\nFig 5. GhostSocks executable\r\nGhostSocks notably does not implement a persistence mechanism, with it only handling the SOCKS5\r\nfunctionality.\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 5 of 10\n\nFig 6. Runtime execution loop\r\nOn execution, GhostSocks uses the mutex “start to run” to prevent multiple instances from being spawned.\r\nFig 7. GhostSocks mutex, preventing multiple instances\r\nPart of the startup process involves locating and decrypting its relay servers. GhostSocks will attempt to locate a\r\nconfiguration file in %TEMP%.\r\nFig 8. GhostSocks attempting to locate it’s dynamic configuration file\r\nIn the scenario that the configuration file cannot be found, it will fall back to a hardcoded config.\r\nFig 9. GhostSocks fallback to hardcoded configuration\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 6 of 10\n\nFig 9.1 GhostSocks fallback to hardcoded configuration\r\nUpon decryption, we are returned the following C2 URLs.\r\nFig 9.2 Decrypted GhostSocks config (URLs Defanged)\r\nGhostSocks will iterate over the servers until a successful connection is established, at which point GhostSocks\r\nwill provision the SOCKS5 proxy.\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 7 of 10\n\nFig 10. GhostSocks relay resolver loop\r\nAt this point, GhostSocks will randomly generate a password and username, which will be sent to the C2 server,\r\nconfiguring it for usage.\r\nhttp://46[.]8[.]232[.]106:30001/api/helper-first-register?\r\nbuildVersion=0pTk.PWh2DyJ\u0026md5=\u0026proxyPassword=\u0026proxyUsername=\u0026userId=\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 8 of 10\n\nFig 11. GhostSocks url parameters and significance\r\nAssuming the build URL succeeds, GhostSocks will decrypt and pass an additional x-api-key header to the\r\nrequest.\r\nFig 12. GhostSocks preparing the HTTP request with parameters and headers\r\nFig 13. GhostSocks registration HTTP requst\r\nOnce a server returns a 200 status code indicating that our client has been successfully initiated, GhostSocks will\r\nspawn a SOCKS5 connection using the open-source go-socks5 and yamux libraries.\r\nFig 14. GhostSocks system design\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 9 of 10\n\nFuture Outlook\r\nGhostSocks shows no signs of halting development. They continue to maintain their platform, Malware, and\r\nsupport channels. Even with Law Enforcement's seizure of XSS and LummaStealer infrastructure, GhostSocks has\r\nshown no signs of shutting down. GhostSock’s however does appear to have reduced their online presence with\r\nthem no longer active on the new XSS forum. Synthient is unable to assess the motivation for this decision.\r\nMitigation Strategies\r\nPersonal\r\nDon't install untrusted executables: GhostSocks relies on other Malware for initial access and\r\npersistence.\r\nOrganizations\r\nBlock GhostSock relay servers: GhostSocks uses a constant pool of unique relay servers to establish the\r\nSOCKS5 back-connect. Blocking and monitoring for connections to these outbound servers can entirely\r\nblock GhostSocks.\r\nAggressive monitoring of SOCKS5 traffic: GhostSocks and other Malware families favor SOCKS5 due\r\nto its versatility. Monitoring for the usage of this protocol can reduce future risks.\r\nDon't unquestioningly trust the IP Address: Threat actors take advantage of overconfident security\r\npolicies by using victim machines for fraudulent traffic. Just because the IP address is from a residential IP\r\naddress does not mean it's safe.\r\nObservables\r\nNetwork and file observables can be found here.\r\nYara Rules\r\nYara rules can be found here.\r\nConclusion\r\nGhostSocks is nothing novel; however, its growing popularity highlights a concerning behavior among threat\r\nactors with double victimization. GhostSocks and other proxy malware allow for long-term network access by\r\nbeing spread through an initial infection. These compromised devices are often listed on SocksShops, where\r\ncustomers can buy access for as low as $.50 per day.\r\nSource: https://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nhttps://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy"
	],
	"report_names": [
		"ghostsocks-from-initial-access-to-residential-proxy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4663949ea7080694560c0ed4b8c72183d5ed0c40.pdf",
		"text": "https://archive.orkl.eu/4663949ea7080694560c0ed4b8c72183d5ed0c40.txt",
		"img": "https://archive.orkl.eu/4663949ea7080694560c0ed4b8c72183d5ed0c40.jpg"
	}
}