{ "Event": { "analysis": "1", "date": "2026-03-26", "extends_uuid": "", "info": "[Threat Intel] Phantom Footprints: Tracking GhostSocks Malware", "protected": false, "publish_timestamp": "1775907160", "published": true, "threat_level_id": "3", "timestamp": "1775907160", "uuid": "d0e5eab3-c9e7-4572-9de4-05e3e80b4ca4", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#251b6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"GhostSocks\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775012419", "to_ids": false, "type": "link", "uuid": "2c45bf05-e4e7-4058-a8f8-58c0bc904283", "value": "https://www.darktrace.com/blog/phantom-footprints-tracking-ghostsocks-malware", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775012419", "to_ids": false, "type": "text", "uuid": "d2e242da-1d66-4781-9172-20c9f959ce32", "value": "GhostSocks is an emerging threat that turns compromised devices into residential proxy nodes, enabling attackers to evade detection. Originally marketed on Russian underground forums as Malware-as-a-Service, it has gained popularity due to its partnership with Lumma Stealer. Written in GoLang, GhostSocks uses SOCKS5 proxy protocol and TLS encryption to blend malicious traffic into normal network activity. It also incorporates backdoor functionality for running arbitrary commands and deploying additional payloads. Darktrace observed an increase in GhostSocks activity, detecting it alongside Lumma Stealer in customer networks. The malware's versatility in converting devices into proxy nodes while enabling covert network access illustrates how threat actors maximize the value of compromised infrastructure." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775012419", "to_ids": false, "type": "text", "uuid": "f054b5d7-f287-4dd8-9ac6-2113b89f02ed", "value": "Name: Phantom Footprints: Tracking GhostSocks Malware\nAuthor: AlienVault\nAdversary: GhostSocks\nTags: [\"c2 infrastructure\", \"ghostsocks\", \"evasion techniques\", \"socks5\", \"golang\", \"lumma stealer\", \"backdoor\", \"tls encryption\", \"residential proxy\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1071\", \"T1112\", \"T1102\", \"T1571\", \"T1095\", \"T1588\", \"T1189\"]\nIndustries: [\"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1775012419", "to_ids": false, "type": "threat-actor", "uuid": "cbc16afe-b953-4aab-8b98-e8ebab148b97", "value": "GhostSocks" }, { "category": "Payload delivery", "comment": "Likely follow-up payload No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902641", "to_ids": true, "type": "sha1", "uuid": "5ae10c58-0101-4ca2-9469-9b8afcd7ffae", "value": "10f928e00a1ed0181992a1e4771673566a02f4e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Likely follow-up payload No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902642", "to_ids": true, "type": "sha1", "uuid": "8c41070b-a794-4f73-b8d0-c7315e2999fe", "value": "3d9d7a7905e46a3e39a45405cb010c1baa735f9e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Likely GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1775904671", "to_ids": true, "type": "ip-dst", "uuid": "4b66286c-e16a-41cb-bac2-9ccfe9dd1ff2", "value": "86.54.24.29", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Lumma C2 Endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1775904692", "to_ids": true, "type": "domain", "uuid": "38573ca6-7be7-4337-b2ed-dd9ba84e416a", "value": "retreaw.click", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904714", "to_ids": true, "type": "hostname", "uuid": "a01c6968-c146-40c7-966e-e36edc887c58", "value": "w2.bruggebogeyed.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Likely C2 Endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1775904735", "to_ids": true, "type": "hostname", "uuid": "3e10f2eb-44c9-495a-a9a0-b5606ddb272e", "value": "www.lbfs.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Possible C2 Endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1775904758", "to_ids": true, "type": "domain", "uuid": "0c610811-ecce-47e5-a9ed-e4cfc4f22ef1", "value": "alltipi.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostSocks Distribution Endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1775904779", "to_ids": true, "type": "url", "uuid": "b085631c-fc7a-4887-bef9-a00a8c92245c", "value": "http://86.54.24.29/Renewable.exe", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CDN - Payload Distribution Endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1775904800", "to_ids": true, "type": "url", "uuid": "48ed9ad4-65ba-4b21-aa1d-558c612cbd2c", "value": "http://d2ihv8ymzp14lr.cloudfront.net/2021-08-19/udppump.exe", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904822", "uuid": "8aa86b6b-971a-418e-acfa-573fdf291180", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904822", "to_ids": true, "type": "md5", "uuid": "ee11d349-073f-4109-a075-8cc73314a0d1", "value": "ddd2994acd25bde5ac32a03f1cf30b41", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902640", "to_ids": true, "type": "sha1", "uuid": "c73bccb4-3871-45e2-8176-6120c3d60ca1", "value": "9b90c62299d4bed2e0752e2e1fc777ac50308534", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902640", "to_ids": true, "type": "sha256", "uuid": "627b7673-41c8-4df4-8a12-8debbae19b4e", "value": "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901802", "to_ids": true, "type": "ssdeep", "uuid": "f834734e-5a97-40d4-bf95-28215dff4296", "value": "196608:xwenvZGBJPzcGsl7U37YPrxosYYCV9gQXfLvSKzOx5n3:xwOvCbkBU3KxosFCVCIWKzOx53" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901802", "to_ids": false, "type": "size-in-bytes", "uuid": "f09e8873-d25d-499f-89a5-4231bd5f236f", "value": "10551848" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901802", "to_ids": true, "type": "vhash", "uuid": "3dd91774-b5fc-4531-9a7c-b4ba5b28a176", "value": "017056555d756561z82z25003b7z87zd2z37dz67" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901802", "to_ids": true, "type": "filename", "uuid": "d9731819-f5d2-4f0b-ac4d-13ff8b4fe67b", "value": "YonderBitnovacoreProSorter.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 08/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901802", "to_ids": false, "type": "text", "uuid": "b8e242c8-4329-44af-b6e1-e23d9061544b", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/LummaC.KK!MTB\nVT Total Detection:52/72\nFirst Submission:2025-11-26T18:45:48.000000+00:00\nLast Submission:2025-12-01T21:14:38.000000+00:00" } ] } ] } }