GHOSTSOCKS is an emerging threat that turns compromised devices into residential proxy nodes to help attackers evade detection, according to Darktrace. The malware has been observed working alongside Lumma Stealer, reinforcing a reported ongoing partnership between the two, and was highlighted for its stealth, payload delivery and persistence.
Darktrace’s analysis notes that GhostSocks wraps its SOCKS5 tunnels in TLS, uses a relay-based C2 with a rare combination of indicators such as the endpoint 159.89.46[.]92/retreaw[.]click and an executable downloaded from 86.54.24[.]29, with the latter classed as 100% rare for that network.
The report details a December 2025 incident where GhostSocks activity began on a device in the education sector, followed by multiple suspicious downloads including Renewable[.]exe and other payloads from CloudFront endpoints, and later C2 beaconing activity. Autonomous Response actions were recommended to contain the activity, though some mitigations required manual input in Human Confirmation Mode, illustrating the ongoing need for proactive defence.