{
	"id": "0678c730-a13a-462e-b46c-5b446a87b2cd",
	"created_at": "2026-04-06T00:08:58.973756Z",
	"updated_at": "2026-04-10T03:20:17.431099Z",
	"deleted_at": null,
	"sha1_hash": "b2fccb782e423b215594669a769c59002d9ab109",
	"title": "GhostSocks - Lumma's Partner In Proxy - Codexa – Premium Developer Automation Template",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 173408,
	"plain_text": "GhostSocks - Lumma's Partner In Proxy - Codexa – Premium\r\nDeveloper Automation Template\r\nPublished: 2026-02-01 · Archived: 2026-04-05 15:32:18 UTC\r\nIntroduction\r\nGhostSocks, a Golang-based SOCKS5 backconnect proxy malware, was first identified in October 2023 when it\r\nwas advertised on a Russian-language criminal forum, and supports Microsoft Windows alongside Linux. Its\r\ndistribution expanded to English-speaking criminal forums in July 2024 in posts under the moniker \"GhostSocks\".\r\nPrimarily deployed alongside the LummaC2 (Lumma) information stealer, GhostSocks is offered as a Malware-as-a-Service (MaaS), providing threat actors with an easily accessible tool to further monetise compromised systems.\r\nThe integration of GhostSocks with Lumma, facilitated by features like automatic provisioning and discounted\r\npricing for Lumma users, highlights a deliberate effort to enhance post-infection capabilities, enabling heightened\r\ncredential abuse and improving the likelihood of bypassing anti-fraud mechanisms.\r\nThis analysis delves into the workings of GhostSocks, exploring its close relationship with Lumma, its technical\r\nimplementation, and its operational mechanisms.\r\nLumma \u0026 GhostSocks - A Match Made In Moscow?\r\nGhostSocks likely maintains a close direct relationship with Lumma's developer:\r\nOn February 6, 2024, a partnership was announced via Telegram, introducing a new feature within the\r\nLumma administration panel that enables the automatic provisioning of GhostSocks to Lumma infections.\r\nOn July 22, 2024, the operator behind GhostSocks advertised the malware on a well-known English-speaking criminal forum, offering a substantial discount to customers already holding a Lumma license—\r\nfurther reinforcing its integration within the Lumma ecosystem.\r\nFurthermore, the malware employs two techniques that share similarities with Lumma: an anti-sandboxing\r\nmethodology utilising the GetCursorPos API and a protection mechanism to prevent non-crypted builds\r\nfrom executing.\r\nAny user can also sign up for GhostSocks independently, pay a fee of $150 in Bitcoin, and build the malware\r\nthemselves—this follows the Malware-as-a-Service (MaaS) model. The GhostSocks panel login can be observed\r\nbelow in Figure 1.\r\nhttps://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy\r\nPage 1 of 5\n\nFigure 1 - GhostSocks MaaS Login Panel\r\nWhy?\r\nThe addition of a SOCKS5 backconnect feature to existing Lumma infections, or any malware for that matter, is\r\nhighly lucrative for threat actors. By leveraging victims' internet connections, attackers can bypass geographic\r\nrestrictions and IP-based integrity checks, particularly those enforced by financial institutions and other high-value targets. This capability significantly increases the probability of success for unauthorized access attempts\r\nusing credentials harvested via infostealer logs, further enhancing the post-exploitation value of Lumma\r\ninfections.\r\nGhostSocks Malware\r\nThe basis of this analysis will focus on an GhostSocks sample observed on 15 February 2025 with the SHA-256\r\nhash: c92b21bdb91fe4c0590212e650212528a1f608a2ea086ce5eb5ac6d05edc41f7.\r\nThe above-mentioned GhostSocks sample is heavily obfuscated at points, likely making use of the popular open-source Go obfuscator Garble. Along with some features from Gofuscator such as inline XOR-based string\r\ndeobfuscation.\r\nUpon initialisation, GhostSocks builds an embedded configuration structure comprised of hardcoded data and\r\ndynamically-calculated values. It is likely the hardcoded data changes on a per-build basis to distinct between\r\ndifferent users of the MaaS:\r\nFigure 2 - JSON configuration format\r\nThe configuration is then encoded into a JSON object, obfuscated, and written to %APPDATA%\\config. A C2 IP\r\nand port is then deobfuscated and stored for later use in the C2 communication stage, in this instance:\r\n46.8.232[.]106:3000.\r\nInitial Beacon\r\nhttps://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy\r\nPage 2 of 5\n\nGhostSocks uses a fairly simple relay-based C2 implementation using a simple HTTP API, in which an\r\nintermediary server sits in-between the real C2 and the victim. Most of the Tier 2 relays observed by Infrawatch\r\ncommunicate over port 3001.\r\nUpon a victim first connecting to the C2, GhostSocks starts to build the HTTP GET query parameters derived\r\nfrom the configuration and a X-Api-Key header required for all requests to the C2.\r\nSurprisingly, the \"authentication\" is simply a pseudo-random alphanumeric string with a length of 8 (e.g.\r\nFm2qKy29: ^[A-Za-z0-9]{8}$ ) and does not rely on being derived from a value within the malware's\r\nconfiguration. The URI consists of values from the configuration, to the endpoint /api/helper-first-register .\r\nThe full URI can be observed below in Figure 3.\r\nFigure 3 - Example initial beacon HTTP URI\r\nIf the X-Api-Key is not present, the C2 responds with the HTTP body: Forbidden: Invalid API Key . A normal\r\nbeacon response from the C2 can be observed below in Figure 4:\r\nFigure 4 - GhostSocks initial beacon response\r\nAs can be observed above, an IP and port pair exists - a Tier 1 node in which the SOCKS5 back-connect takes\r\nplace. Over the period of this analysis, Infrawatch managed to identify three different unique back-connect hosts\r\nbeing used by GhostSocks:\r\nFigure 5 - SOCKS5 Backconnect hosts\r\nThe port used in the backconnect hosts is possibly assigned based on the affiliate, as these are shared among all\r\nGhostSocks customers. However, this cannot be confirmed at the time of writing.\r\nA TCP connection is then established with the returned IP and port pair, and a SOCKS5 backconnect tunnel is set\r\nup using the credentials from the configuration.\r\nAdditional C2s were discovered by Infrawatch over a 2-month period, which can be observed in Figure 6.\r\nFigure 6 - Additional GhostSocks C2s \u0026 Backconnect Hosts\r\nThe majority of the C2s used by GhostSocks and backconnect sit on VDSina (AS216071) - note that Russian-speaking server providers use Virtual Dedicated Server (VDS) in place of Virtual Private Server (VPS). VDSina is\r\nofficially registered as Servers Tech Fzco, which is a company officially registered in the United Arab Emirates.\r\nAS216071 is also home to several commercial VPNs such as VydraVPN, VPNSurf, PabloVPN and more.\r\nAdditional Backdoor Functionality\r\nGhostSocks also contains additional backdoor functionality, beyond the primary SOCKS5 backconnect proxy\r\ncapability. Some of the additional functionality, along with their internal name and command ID, includes:\r\n1. Arbitrary Command Execution ( shell , ID: 5):\r\n1. Executes arbitrary commands sent by the C2: cmd.exe /C \u003ccommand\u003e\r\nhttps://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy\r\nPage 3 of 5\n\n2. Modification Of SOCKS5 Credentials - (ID: 4)\r\n1. Ability to add or remove new SOCKS5 backconnect credentials for the bot, the credentials are\r\nparsed within a string with the delimiter \":\"\r\n3. Download \u0026 Execute Arbitrary Executables ( update , ID: 6)\r\n1. Download an arbitrary executable, execute it using the same code used for the shell command,\r\nwith the path as the parameter\r\nWhat is SOCKS5 Backconnect?\r\nSOCKS5 is a proxy protocol that facilitates the routing of network traffic through an intermediary server. In a\r\nbackconnect setup, instead of a client connecting directly to a proxy server, the proxy server (in this case, the\r\ninfected machine) initiates the connection to the attacker-controlled infrastructure. This allows threat actors to use\r\nthe compromised system as a relay, effectively masking their true origin while interacting with external services.\r\nHow GhostSocks Uses it\r\n1. C2 Response – The malware queries its C2, which returns a Tier 1 relay IP and port.\r\n2. Connection Establishment – GhostSocks initiates a TCP connection to this Tier 1 node.\r\n3. SOCKS5 Tunnel Creation – The malware sets up a SOCKS5 proxy tunnel, allowing attackers to route\r\ntheir traffic through the infected system.\r\n4. Credential Abuse \u0026 Evasion – By leveraging this connection, threat actors can interact with online\r\nservices using the victim's IP address, bypassing geolocation restrictions, fraud detection mechanisms,\r\nand IP-based security controls (commonly used by financial institutions).\r\nSignaturing GhostSocks' C2s\r\nInfrawatch provides IP-level attribution for residential proxies and VPNs, covering over 400 commercial services.\r\nAdditionally, we track over 130 distinct malware families. Integrating GhostSocks C2 tracking was a\r\nstraightforward task for our Research Team, enabling customers to proactively block C2 infrastructure in\r\nanticipation of potential malicious activity on their network.\r\nAs mentioned before, most of the Tier 2 servers use the port 30001 , and requests emitting the X-Api-Key HTTP\r\nheader result in an error message. Upon inspection of other C2s, the headers are persistent for responses, which\r\nrender a hash of: 86362ac6d972b1b55f1f434811d014316196f0e193878d8270dae939efb25908\r\nUsing Infrawatch's YARA signature detection capabilities, we can craft a rule to track the C2s in our internet-wide\r\nscans of this port:\r\nConclusion\r\nhttps://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy\r\nPage 4 of 5\n\nGhostSocks exemplifies the continued commodification of SOCKS5 backconnect malware within the criminal\r\necosystem. While backconnect proxies are not a new technique, GhostSocks' seamless integration with\r\nLummaStealer and its availability through a Malware-as-a-Service (MaaS) model make it the obvious choice\r\nfor a threat actor to use in a bid to monetise their victims to the maximum.\r\nBy leveraging C2 behavioural indicators—such as consistent X-Api-Key error responses—defenders can more\r\neffectively track and prevent GhostSocks C2 infrastructure from posing a threat within their estate.\r\nIn addition to tracking malicious infrastructure, we also provide real-time, attributed intelligence on legitimate\r\nresidential proxy and VPN providers.\r\nIOCs\r\n30/08/25: this article has been edit to provide sources for the intelligence surrounding LummaC2\r\nSource: https://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy\r\nhttps://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy"
	],
	"report_names": [
		"ghostsocks-lummas-partner-in-proxy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434138,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2fccb782e423b215594669a769c59002d9ab109.pdf",
		"text": "https://archive.orkl.eu/b2fccb782e423b215594669a769c59002d9ab109.txt",
		"img": "https://archive.orkl.eu/b2fccb782e423b215594669a769c59002d9ab109.jpg"
	}
}