GhostSocks Malware Can Slip Past Detection Systems

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI  have issued a joint cyber security advisory on the growing threat of Ghost ransomware.  

A variation of this strain of malware called GhostSocks is using SOCKS5 to bypass anti-fraud mechanisms and geographic restrictions.

First detected in 2021, this ransomware group has targeted organisations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks.

GhostSocks operates as a Malware-as-a-Service model, distributed alongside the LummaC2 infostealer. The new variant malware, first advertised on Russian-language forums in October 2023, has recently expanded to include English-speaking cyber criminals, offering attackers a  sophisticated method to monetise compromised systems through credential abuse and residential proxy networks.

The malware’s connection with Lumma allows automatic provisioning to infected systems, creating a symbiotic relationship that enhances post-exploitation capabilities. For a licencing fee of $150 in Bitcoin, threat actors gain access to customisable builds of GhostSocks, which include obfuscation techniques such as the Garble which are designed to frustraye analysis.

The malware’s primary function is establishing SOCKS5 back-connect proxies, enabling attackers to route traffic through compromised devices. This method masks the origin of malicious activities, allowing attackers to circumvent IP-based security controls employed by financial institutions and other high-value targets.

GhostSocks employs a relay-based command-and-control (C2) infrastructure, utilising Tier 1 and Tier 2 servers to obscure communication. Attackers can exploit these tunnels to route traffic through victims’ IP addresses, bypassing geolocation filters. Researchers at security firm Infrawatch have identified critical C2 infrastructure hosted on VDSina (AS216071), a UAE-based provider known for hosting commercial VPNs and proxy services.

Ghost actors began attacking victims whose Internet facing services ran outdated versions of software and firmware since 2021. This widespread targeting of networks containing vulnerabilities has led to the compromise of organisations internationally, including organisations in China. 

Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small and medium sized businesses.

CISA   |   Cybersecurity News   |   GBHackers   |    Malpedia   |   JDSupra   |   DFIR Report

Image: Unsplash

You Might Also Read: 

Remote Deletion Of Malware Enforced On Thousands Of Computers:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Getting Ready To Stop Ransomware Attacks
Australian Government Bans Kaspersky »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Sonatype

Sonatype

Sonatype protects the world's enterprise software from security, compliance, licensing risks, while reducing application development and deployment time.

Core Security

Core Security

Core Security provides threat-aware identity, access, authentication and vulnerability management solutions.

FRSecure

FRSecure

FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction.

Secure Code Warrior

Secure Code Warrior

Secure your code from the start with gamified, scalable online secure coding training for software developers.

ArcusTeam

ArcusTeam

ArcusTeam is at the forefront of the firmware and applications security industry, with a mission to increase the level of security on all IoT devices and applications.

Radically Open Security

Radically Open Security

Radically Open Security is the world's first not-for-profit computer security consultancy company.

Rezilion

Rezilion

Rezilion is a stealth mode cyber-security start-up developing a cutting edge technology that makes cloud environments self-protecting and resilient to cyber-attacks.

Stratus Cyber

Stratus Cyber

Stratus Cyber is a premier Cyber Security company specializing in Managed Security Services. Our services include Blockchain Security, Pentesting, and Compliance Assessments.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

Conatix

Conatix

Conatix was formed to apply recent advances in AI and other fields of technology to insider fraud, one of the most intractable problems in cybersecurity.

Cutting Edge Technologies (CE Tech)

Cutting Edge Technologies (CE Tech)

CE Tech is a Next Generation Technology Partner providing advanced technology infrastructure solutions through partnerships with leading technology providers.

Aware

Aware

Aware is the only comprehensive AI solution for governance, risk, compliance and insights for leading collaboration platforms.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Route1

Route1

Route1 is an advanced provider of secure data intelligence solutions to drive your business forward.

Software Improvement Group (SIG)

Software Improvement Group (SIG)

Software Improvement Group helps business and technology leaders drive their organizational objectives by fundamentally improving the health and security of their software applications.

CESAR

CESAR

CESAR is one of the premier R+D and innovation centers in Brazil and a designated Cybersecurity Competence Center.