EXECUTIVE SUMMARY
GhostSocks is a Golang-based SOCKS5 backconnect proxy malware that has gained traction in cybercriminal circles, particularly through its integration with the LummaC2 information stealer. Initially advertised in Russian-language forums, GhostSocks later appeared on English-speaking platforms, offered as a Malware-as-a-Service. Its functionality allows attackers to monetize compromised systems by establishing proxy connections that mask malicious activities. The malware is particularly threatening to financial institutions and other high-value targets, as it enables attackers to bypass IP-based security controls and geolocation restrictions. GhostSocks’ close relationship with Lumma is evident through automated deployment features and pricing incentives tailored for Lumma users, highlighting a deliberate strategy to enhance post-infection capabilities.