Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Share
26
Jan 2020
Over the last 14 days, Darktrace has detected at least 80 different customers all targeted by the same CVE-2019-19781 vulnerability — affecting the Citrix ADC (Citrix Application Delivery Controller) and Citrix Gateway solution for public cloud. Customers operating Darktrace Antigena in ‘active mode’ have all seen that this attack was neutralized within seconds.
According to the National Cyber Security Centre, the exploitation of this vulnerability allows an ‘unauthenticated attacker to perform arbitrary code execution’. While Citrix has released mitigation advice, patches are just being rolled out. This unfortunately left a critical window of time, during which the attackers could exploit the vulnerabilities. However, Darktrace’s immune system technology can effectively halt the attack and contain the damage.
This blog post outlines the attack lifecycle of a campaign exploiting the Citrix vulnerabilities to download crypto-mining malware. It is interesting to see how quick the cyber-criminals were to weaponize the Citrix exploits with crypto-mining payloads for generating profit. It shows that AI-powered Autonomous Response is pivotal in today’s fast-moving threat landscape, where patches might not be available or might take weeks to install safely.
Breaking down the attack lifecycle
The following description of the observed attack stages demonstrates how Darktrace Antigena’s independent and immediate action stops the attack in its tracks, provides visibility of the complete attack lifecycle, and significantly reduces security teams’ investigation time into this activity.
Darktrace’s detection capabilities highlight the steps taken by exploited Citrix Netscaler devices executing shell commands.
These devices begin by receiving HTTP POST requests to URIs that are vulnerable to directory traversal attacks, for example /vpn/…/vpns/cfg/smb.conf. This is visible in the below details provided by Darktrace.
Figure 1: A screenshot of the requests on a particular device
These POST requests are followed by high confidence alerts created by Darktrace – the attack behavior was very similar in different targeted organizations. The high-confidence alerts were equally similar, regardless of the target, as the attack behavior was the same.
Code execution is triggered, leading to the download of shell scripts and other malware with the end-goal of running crypto-mining malware.
Some of the high-confidence alerts are:
Compromise / High Volume of Connections with Beacon Score – used to identify command and control traffic
Compliance / Pastebin – triggers during suspicious and unusual Pastebin activity
Compliance / Crypto Currency Mining Activity
Anomalous Connection / Multiple Failed Connections to Rare Endpoint – indicating unsuccessful command and control traffic attempts
Anomalous File / Script from Rare External – indicating the download of a script file from a location on the internet that is not commonly visited by the targeted organization (often this is the initial infection or a later-stage payload)
In one example, a gateway device was seen downloading a shell script from a rare external endpoint in Russia, with a /ci.sh URI.
Figure 2: Darktrace’s Threat Visualizer showing an endpoint with 100% rarity
Next, compromised devices have been observed downloading an executable file from Ukraine (http://217.12.221[.]12/netscalerd), containing an ELF:BitCoinMiner Malware, triggering the cryptocurrency mining and command and control beaconing alerts.
Figure 3: The Anomalous File / EXE from Rare External Location alert triggered by C2 traffic
Figure 4: Darktrace showing further details about the downloaded malware
An immediate response
However, Darktrace Antigena kicks in as the machine defender, eliminating the incoming threat by blocking miner file downloads and activity for about a day. This offers the customer ample time to react to this anomalous activity and halts the malware’s spread to other devices. Intervening with surgical precision, Antigena stops the malicious activity while allowing normal business processes to continue.
Figure 5: Chronological sequence (bottom to top) of alerts and Antigena actions on the vulnerable device
Lessons for the future
The exploitation of Citrix ADC’s vulnerability has understandably caused concern across the security community. Based upon the cumulation and nature of alerts triggered, the malware aims to mine cryptocurrency like so many other campaigns these days.
On the other hand, and perhaps more importantly here, this recently discovered vulnerability strengthens the case for Autonomous Response and its proven ability to prevent novel attacks.
At Darktrace we are often asked how we detect zero-day exploits. Every stage in the attack lifecycle – from the execution of Pastebin-sourced commands to performing internal reconnaissance and mining crypto with impunity – involved behavior that in some way deviated from the Enterprise Immune System’s learned ‘pattern of life’. Antigena neutralized these attacks without relying on pre-defined blacklists, and no new detections were created. By leveraging Cyber AI, the Bitcoin malware using the Citrix vulnerabilities was instantly contained – before any damage could be done to the customer.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AI-powered security for a rapidly growing grocery enterprise
Protecting a complex, fast-growing retail organization
For this multi-banner grocery holding organization, cybersecurity is considered an essential business enabler, protecting operations, growth, and customer trust. The organization’s lean IT team manages a highly distributed environment spanning corporate offices, 100+ stores, distribution centers and thousands of endpoints, users, and third-party connections.
Mergers and acquisitions fueled rapid growth, but they also introduced escalating complexity that constrained visibility into users, endpoints, and security risks inherited across acquired environments.
Closing critical visibility gaps with limited resources
Enterprise-wide visibility is a top priority for the organization, says the Vice President of Information Technology. “We needed insights beyond the perimeter into how users and devices were behaving across the organization.”
A security breach that occurred before the current IT leadership joined the company reinforced the urgency and elevated cybersecurity to an executive-level priority with a focus on protecting customer trust. The goal was to build a multi-layered security model that could deliver autonomous, enterprise-wide protection without adding headcount.
Managing cyber risk in M&A
Mergers and acquisitions are central to the grocery holding company’s growth strategy. But each transaction introduces new cyber risk, including inherited network architectures, inconsistent tooling, excessive privileges, and remnants of prior security incidents that were never fully remediated.
“Our M&A targets range from small chains with a single IT person and limited cyber tools to large chains with more developed IT teams, toolsets and instrumentation,” explains the VP of IT. “We needed a fast, repeatable, and reliable way to assess cyber risk before transactions closed.”
AI-driven security built for scale, speed, and resilience
Rather than layering additional point tools onto an already complex environment, the retailer adopted the Darktrace ActiveAI Security Platform™ in 2020 as part of a broader modernization effort to improve resilience, close visibility gaps, and establish a security foundation that could scale with growth.
“Darktrace’s AI-driven approach provided the ideal solution to these challenges,” shares the VP of IT. “It has empowered our organization to maintain a robust security strategy, ensuring the protection of our network and the smooth operation of our business.”
Enterprise-wide visibility into traffic
By monitoring both north-south and east-west traffic and applying Self-Learning AI, Darktrace develops a dynamic understanding of how users and devices normally behave across locations, roles, and systems.
“Modeling normal behavior across the environment enables us to quickly spot behavior that doesn’t fit. Even subtle changes that could signal a threat but appear legitimate at first glance,” explains the VP of IT.
Real-time threat containment, 24/7
Adopting autonomous response has created operational breathing room for the security team, says the company’s Cybersecurity Engineer.
“Early on, we enabled full Darktrace autonomous mode and we continue to do so today,” shares the IT Security Architect. “Allowing the technology to act first gives us the time we need to investigate incidents during business hours without putting the business at risk.”
Unified, actionable view of security ecosystem
The grocery retailer integrated Darktrace with its existing security ecosystem of firewalls, vulnerability management tools, and endpoint detection and response, and the VP of IT described the adoption process as “exceptionally smooth.”
The team can correlate enterprise-wide security data for a unified and actionable picture of all activity and risk. Using this “single pane of glass” approach, the retailer trains Level 1 and Level 2 operations staff to assist with investigations and user follow-ups, effectively extending the reach of the security function without expanding headcount.
From reactive defense to security at scale
With Darktrace delivering continuous visibility, autonomous containment, and integrated security workflows, the organization has strengthened its cybersecurity posture while improving operational efficiency. The result is a security model that not only reduces risk, but also supports growth, resilience, and informed decision-making at the business level.
Faster detection, faster resolution
With autonomous detection and response, the retailer can immediately contain risk while analysts investigate and validate activity. With this approach, the company can maintain continuous protection even outside business hours and reduce the chance of lateral spread across systems or locations.
Enterprise-grade protection with a lean team
From cloud environments to clients to SaaS collaboration tools, Darktrace provides holistic autonomous AI defense, processing petabytes of the organization’s network traffic and investigating millions of individual events that could be indicative of a wider incident.
Today, Darktrace autonomously conducts the majority of all investigations on behalf of the IT team, escalating only a tiny fraction for analyst review. The impact has been profound, freeing analysts from endless alerts and hours of triage so they can focus on more valuable, proactive, and gratifying work.
“From an operational perspective, Darktrace gives us time back,” says the Cybersecurity Engineer. More importantly, says the VP of IT, “it gives us peace of mind that we’re protected even if we’re not actively monitoring every alert.”
A strategic input for M&A decision-making
One of the most strategic outcomes has been the role of cybersecurity on M&A. 90 days prior to closing a transaction, the security team uses Darktrace alongside other tools to perform a cyber risk assessment of the potential acquisition. “Our approach with Darktrace has consistently identified gaps and exposed risks,” says the VP of IT, including:
Remnants of previous incidents that were never fully remediated
Network configurations with direct internet exposure
Excessive administrative privileges in Active Directory or on critical hosts
While security findings may not alter deal timelines, the VP of IT says they can have enormous business implications. “With early visibility into these risks, we can reduce exposure to inherited cyber threats, strengthen our position during negotiations, and establish clear remediation requirements.”
A security strategy built to evolve with the business
As the holding group expands its cloud footprint, it will extend Darktrace protections into Azure, applying the same AI-driven visibility and autonomous response to cloud workloads. The VP of IT says Darktrace's evolving capabilities will be instrumental in addressing the organization’s future cybersecurity needs and ability to adapt to the dynamic nature of cloud security.
“With Darktrace’s AI-driven approach, we have moved beyond reactive defense, establishing a resilient security foundation for confident expansion and modernization.”
In today's threat landscape, blending in to normal activity is the key to success for attackers and the growing reliance on residential proxies shows a significant shift in how threat actors are attempting to bypass IP detection tools.
The increasing dependency on residential proxies has exposed how prevalent proxy services are and how reliant a diverse range of threat actors are on them. From cybercriminal groups to state‑sponsored actors, the need to bypass IP detection tools is fundamental to the success of these groups. One malware that has quietly become notorious for its ability to avoid anomaly detection is GhostSocks, a malware that turns compromised devices into residential proxies.
What is GhostSocks?
Originally marketed on the Russian underground forum xss[.]is as a Malware‑as‑a‑Service (MaaS), GhostSocks enables threat actors to turn compromised devices into residential proxies, leveraging the victim's internet bandwidth to route malicious traffic through it.
How does Ghostsocks malware work?
The malware offers the threat actor a “clean” IP address, making it look like it is coming from a household user. This enables the bypassing of geographic restrictions and IP detection tools, a perfect tool for avoiding anomaly detection. It wasn’t until 2024, when a partnership was announced with the infamous information stealer Lumma Stealer, that GhostSocks surged into widespread adoption and alluded to who may be the author of the proxy malware.
Written in GoLang, GhostSocks utilizes the SOCKS5 proxy protocol, creating a SOCKS5 connection on infected devices. It uses a relay‑based C2 implementation, where an intermediary server sits in between the real command-and-control (C2) server and the infected device.
How does Ghostsocks malware evade detection?
To further increase evasion, the Ghostsocks malware wraps its SOCKS5 tunnels in TLS encryption, allowing its malicious traffic to blend into normal network traffic.
Early variants of GhostSocks do not implement a persistence mechanism; however, later versions achieve persistence via registry run keys, ensuring sustained proxy operational time [1].
While proxying is its primary purpose, GhostSocks also incorporates backdoor functionality, enabling malicious actors to run arbitrary commands and download and deploy additional malicious payloads. This was evident with the well‑known ransomware group Black Basta, which reportedly used GhostSocks as a way of maintaining long‑term access to victims’ networks [1].
Darktrace’s detection of GhostSocks Malware
Darktrace observed a steady increase in GhostSocks activity across its customer base from late 2025, with its Threat Research team identifying multiple incidents involving the malware. In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma’s infrastructure.
Darktrace’s first detection of GhostSocks‑related activity came when a device on the network of a customer in the education sector began making connections to an endpoint with a suspicious self‑signed certificate that had never been seen on the network before.
The endpoint in question, 159.89.46[.]92 with the hostname retreaw[.]click, has been flagged by multiple open‑source intelligence (OSINT) sources as being associated with Lumma Stealer’s C2 infrastructure [2], indicating its likely role in the delivery of malicious payloads.
Figure 1: Darktrace’s detection of suspicious SSL connections to retreaw[.]click, indicating an attempted link to Lumma C2 infrastructure.
Less than two minutes later, Darktrace observed the same device downloading the executable (.exe) file “Renewable.exe” from the IP 86.54.24[.]29, which Darktrace recognized as 100% rare for this network.
Figure 2: Darktrace’s detection of a device downloading the unusual executable file “Renewable.exe”.
Both the file MD5 hash and the executable itself have been identified by multiple OSINT vendors as being associated with the GhostSocks malware [3], with the executable likely the backdoor component of the GhostSocks malware, facilitating the distribution of additional malicious payloads [4].
Following this detection, Darktrace’s Autonomous Response capability recommended a blocking action for the device in an early attempt to stop the malicious file download. In this instance, Darktrace was configured in Human Confirmation Mode, meaning the customer’s security team was required to manually apply any mitigative response actions. Had Autonomous Response been fully enabled at the time of the attack, the connections to 86.54.24[.]29 would have been blocked, rendering the malware ineffective at reaching its C2 infrastructure and halting any further malicious communication.
Figure 3: Darktrace’s Autonomous Response capability suggesting blocking the suspicious connections to the unusual endpoint from which the malicious executable was downloaded.
As the attack was able to progress, two days later the device was detected downloading additional payloads from the endpoint www.lbfs[.]site (23.106.58[.]48), including “Setup.exe”, “,.exe”, and “/vp6c63yoz.exe”.
Figure 4: Darktrace’s detection of a malicious payload being downloaded from the endpoint www.lbfs[.]site.
Once again, Darktrace recognized the anomalous nature of these downloads and suggested that a “group pattern of life” be enforced on the offending device in an attempt to contain the activity. By enforcing a pattern of life on a device, Darktrace restricts its activity to connections and behaviors similar to those performed by peer devices within the same group, while still allowing it to carry out its expected activity, effectively preventing deviations indicative of compromise while minimizing disruption. As mentioned earlier, these mitigative actions required manual implementation, so the activity was able to continue. Darktrace proceeded to suggest further actions to contain subsequent malicious downloads, including an attempt to block all outbound traffic to stop the attack from progressing.
Figure 5: An overview of download activity and the Autonomous Response actions recommended by Darktrace to block the downloads.
Around the same time, a third executable download was detected, this time from the hostname hxxp[://]d2ihv8ymzp14lr.cloudfront.net/2021-08-19/udppump[.]exe, along with the file “udppump.exe”.While GhostSocks may have been present only to facilitate the delivery of additional payloads, there is no indication that these CloudFront endpoints or files are functionally linked to GhostSocks. Rather, the evidence points to broader malicious file‑download activity.
Shortly after the multiple executable files had been downloaded, Darktrace observed the device initiating a series of repeated successful connections to several rare external endpoints, behavior consistent with early-stage C2 beaconing activity.
Cyber AI Analyst’s investigation
Figure 7: Darktrace’s detection of additional malicious file downloads from malicious CloudFront endpoints.
Throughout the course of this attack, Darktrace’s Cyber AI Analyst carried out its own autonomous investigation, piecing together seemingly separate events into one wider incident encompassing the first suspicious downloads beginning on December 4, the unusual connectivity to many suspicious IPs that followed, and the successful beaconing activity observed two days later. By analyzing these events in real-time and viewing them as part of the bigger picture, Cyber AI Analyst was able to construct an in‑depth breakdown of the attack to aid the customer’s investigation and remediation efforts.
Figure 8: Cyber AI Analyst investigation detailing the sequence of events on the compromised device, highlighting its extensive connectivity to rare endpoints, the related malicious file‑download activity, and finally the emergence of C2 beaconing behavior.
Conclusion
The versatility offered by GhostSocks is far from new, but its ability to convert compromised devices into residential proxy nodes, while enabling long‑term, covert network access—illustrates how threat actors continue to maximise the value of their victims’ infrastructure. Its growing popularity, coupled with its ongoing partnership with Lumma, demonstrates that infrastructure takedowns alone are insufficient; as long as threat actors remain committed to maintaining anonymity and can rapidly rebuild their ecosystems, related malware activity is likely to persist in some form.
Credit to Isabel Evans (Cyber Analyst), Gernice Lee (Associate Principal Analyst & Regional Consultancy Lead – APJ) Edited by Ryan Traill (Content Manager)
![Darktrace’s detection of suspicious SSL connections to retreaw[.]click, indicating an attempted link to Lumma C2 infrastructure.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69c5739b43fdfed6f1b02053_Screenshot%202026-03-26%20at%2010.57.44%E2%80%AFAM.png)
![Darktrace’s detection of a malicious payload being downloaded from the endpoint www.lbfs[.]site.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69c57465977a5ae3f07c6d69_Screenshot%202026-03-26%20at%2011.01.05%E2%80%AFAM.png)
