The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint cyber security advisory on the growing threat of Ghost ransomware. A variation of this strain of malware called GhostSocks uses SOCKS5 to bypass anti-fraud mechanisms and geographic restrictions. First detected in 2021, this ransomware group has targeted organizations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks. [1]
GhostSocks operates as a Malware-as-a-Service (MaaS) model, distributed alongside the LummaC2 infostealer. The new variant malware, first advertised on Russian-language forums in October 2023, has recently expanded to include English-speaking cyber criminals, offering attackers a sophisticated method to monetize compromised systems through credential abuse and residential proxy networks.
See: https://redskyalliance.org/commercial/lummac-stealer-on-onlyfans
The malware’s connection with Lumma allows automatic provisioning to infected systems, creating a symbiotic relationship that enhances post-exploitation capabilities. For a licensing fee of $150 in Bitcoin, threat actors gain access to customizable builds of GhostSocks, which include obfuscation techniques such as the Garble, which are designed to frustrate analysis.
The malware’s primary function is establishing SOCKS5 back-connect proxies, enabling attackers to route traffic through compromised devices. This method masks the origin of malicious activities, allowing attackers to circumvent IP-based security controls employed by financial institutions and other high-value targets.
GhostSocks employs a relay-based command-and-control (C2) infrastructure, utilizing Tier 1 and Tier 2 servers to obscure communication. Attackers can exploit these tunnels to route traffic through victims’ IP addresses, bypassing geolocation filters. Researchers at security firm Infrawatch have identified critical C2 infrastructure hosted on VDSina (AS216071), a UAE-based provider known for hosting commercial VPNs and proxy services. Ghost actors began attacking victims whose Internet-facing services ran outdated software and firmware versions in 2021. This widespread targeting of networks containing vulnerabilities has led to the compromise of organizations internationally, including organizations in China.
Critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small and medium-sized businesses are among the victims.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments