SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghostsocks (Back to overview)

GhostSocks

VTCollection    

GhostSocks, a Golang-based proxy malware, was first advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in October 2023. It uses back-connect socket secure internet protocol (SOCKS5) connections and is available for rent for US $100 per month. In February 2024, the author of Lumma Stealer released an update introducing the integration of proxying capabilities. This feature, developed in partnership with GhostSocks, allows the use of infected hosts as SOCKS5 proxies and is available to all subscribers who purchase the "Professional" or higher tier plan. This integration allows Lumma Stealer users to establish a network of residential IP addresses for various purposes, including credential checking, spam distribution, or as general-purpose proxies.

References
2026-04-03Trend MicroJacob Santos, Jeffrey Francis Bonaobra, Sophia Nilette Robles
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
GhostSocks Vidar
2026-04-01ZscalarAvinash Kumar, Jithin Prajeev Nair, Mallikarjun Piddannavar, Manisha Ramcharan Prajapati
Anthropic Claude Code Leak
GhostSocks Vidar
2026-03-26DarktraceIsabel Evans
Phantom Footprints: Tracking GhostSocks Malware
GhostSocks Lumma Stealer
2026-03-04Huntress LabsJai Minton, Ryan Dowd
"Malware, from the Outside!": How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers
GhostSocks Vidar
2025-09-30SynthientSynthient
GhostSocks: From Initial Access to Residential Proxy
GhostSocks Lumma Stealer
2025-03-25SpyCloudJames
On the Hunt for Ghost(Socks)
GhostSocks
2025-02-20InfrawatchInfrawatch Research Team
GhostSocks - Lumma's Partner In Proxy
GhostSocks Lumma Stealer
2025-01-27The DFIR ReportMittenSec, MyDFIR, r3nzsec
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
GhostSocks LockBit SystemBC
2024-12-19SpyCloudJames
LummaC2 Revisited: What’s Making this Stealer Stealthier and More Lethal
GhostSocks Lumma Stealer
2024-12-10ZscalerThreatLabZ research team
Inside Zloader’s Latest Trick: DNS Tunneling
GhostSocks Zloader
2024-08-12Rapid7Tyler McGraw
Ongoing Social Engineering Campaign Refreshes Payloads
Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC
2024-02-05@g0njxa
Tweet Highlighting the Integration of GhostSocks Service into Lumma Stealer
GhostSocks
Yara Rules
[TLP:WHITE] win_ghostsocks_auto (20260504 | Detects win.ghostsocks.)
rule win_ghostsocks_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.ghostsocks."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostsocks"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb0b e8???????? 8b4c2434 890f 8908 8b4c241c 8b5130 }
            // n = 7, score = 200
            //   eb0b                 | jmp                 0xd
            //   e8????????           |                     
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   890f                 | mov                 dword ptr [edi], ecx
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   8b5130               | mov                 edx, dword ptr [ecx + 0x30]

        $sequence_1 = { e9???????? 89f1 e8???????? 89f9 89f2 e8???????? 89f8 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     
            //   89f9                 | mov                 ecx, edi
            //   89f2                 | mov                 edx, esi
            //   e8????????           |                     
            //   89f8                 | mov                 eax, edi

        $sequence_2 = { eb18 891c24 897c2404 e8???????? 8b6c2408 8b5c2414 8b7c241c }
            // n = 7, score = 200
            //   eb18                 | jmp                 0x1a
            //   891c24               | mov                 dword ptr [esp], ebx
            //   897c2404             | mov                 dword ptr [esp + 4], edi
            //   e8????????           |                     
            //   8b6c2408             | mov                 ebp, dword ptr [esp + 8]
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]

        $sequence_3 = { eb09 c644243c01 83c428 c3 89c8 89e9 e8???????? }
            // n = 7, score = 200
            //   eb09                 | jmp                 0xb
            //   c644243c01           | mov                 byte ptr [esp + 0x3c], 1
            //   83c428               | add                 esp, 0x28
            //   c3                   | ret                 
            //   89c8                 | mov                 eax, ecx
            //   89e9                 | mov                 ecx, ebp
            //   e8????????           |                     

        $sequence_4 = { e8???????? 890f 8b8424a8000000 8b5020 895704 894820 8b4808 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   890f                 | mov                 dword ptr [edi], ecx
            //   8b8424a8000000       | mov                 eax, dword ptr [esp + 0xa8]
            //   8b5020               | mov                 edx, dword ptr [eax + 0x20]
            //   895704               | mov                 dword ptr [edi + 4], edx
            //   894820               | mov                 dword ptr [eax + 0x20], ecx
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]

        $sequence_5 = { e8???????? ebb0 8b0d???????? 648b09 8b09 3b6108 0f8646020000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ebb0                 | jmp                 0xffffffb2
            //   8b0d????????         |                     
            //   648b09               | mov                 ecx, dword ptr fs:[ecx]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   3b6108               | cmp                 esp, dword ptr [ecx + 8]
            //   0f8646020000         | jbe                 0x24c

        $sequence_6 = { e8???????? 837c246803 75cf 8b4c2464 668139646e 75c4 80790273 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   837c246803           | cmp                 dword ptr [esp + 0x68], 3
            //   75cf                 | jne                 0xffffffd1
            //   8b4c2464             | mov                 ecx, dword ptr [esp + 0x64]
            //   668139646e           | cmp                 word ptr [ecx], 0x6e64
            //   75c4                 | jne                 0xffffffc6
            //   80790273             | cmp                 byte ptr [ecx + 2], 0x73

        $sequence_7 = { eb3a 894c2424 89442444 891424 894c2404 89742408 894c240c }
            // n = 7, score = 200
            //   eb3a                 | jmp                 0x3c
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   891424               | mov                 dword ptr [esp], edx
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   89742408             | mov                 dword ptr [esp + 8], esi
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx

        $sequence_8 = { f20f114c242c 83c414 c3 8b44241c f30f1000 f30f104804 f30f5ac0 }
            // n = 7, score = 200
            //   f20f114c242c         | movsd               qword ptr [esp + 0x2c], xmm1
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   f30f1000             | movss               xmm0, dword ptr [eax]
            //   f30f104804           | movss               xmm1, dword ptr [eax + 4]
            //   f30f5ac0             | cvtss2sd            xmm0, xmm0

        $sequence_9 = { e9???????? 0fb64c2412 e9???????? 83f806 0f84b1010000 83f808 751e }
            // n = 7, score = 200
            //   e9????????           |                     
            //   0fb64c2412           | movzx               ecx, byte ptr [esp + 0x12]
            //   e9????????           |                     
            //   83f806               | cmp                 eax, 6
            //   0f84b1010000         | je                  0x1b7
            //   83f808               | cmp                 eax, 8
            //   751e                 | jne                 0x20

    condition:
        7 of them and filesize < 16646144
}
Download all Yara Rules