Back to Intelligence

GhostSocks Proxy & Remcos RAT: OTX Pulse Analysis — AI Framework & Mobile Link Exploits

SA
Security Arsenal Team
May 6, 2026
6 min read

Recent OTX pulses indicate a concerning convergence of proxy botnets, AI-framework abuse, and mobile-device bridge exploitation. Threat actors are actively deploying GhostSocks, a GoLang-based residential proxy malware, to obfuscate malicious traffic via SOCKS5 and TLS encryption, specifically targeting the Education sector.

Simultaneously, the OpenClaw AI agent framework has been weaponized via a malicious "DeepSeek-Claw" skill to distribute Remcos RAT and GhostLoader, showcasing a shift toward poisoning emerging development ecosystems. In a third distinct campaign, CloudZ RAT coupled with the Pheno plugin is actively stealing OTPs by exploiting the Microsoft Phone Link application, bypassing the need to infect the mobile device directly.

The collective objective of these campaigns is credential harvesting, persistent remote access, and infrastructure anonymization for further criminal activity.

Threat Actor / Malware Profile

GhostSocks (Proxy Botnet)

  • Origin: Marketed on Russian underground forums as Malware-as-a-Service (MaaS).
  • Capabilities: Turns compromised devices into residential proxy nodes. Uses SOCKS5 protocol with TLS encryption to blend with normal network traffic.
  • Affiliations: Partners with Lumma Stealer for data theft.
  • Targeting: Heavily focused on the Education sector.

Remcos RAT & GhostLoader (AI Supply Chain)

  • Vector: Weaponized "DeepSeek-Claw" skill within the OpenClaw AI framework.
  • Mechanism: PowerShell command downloads an MSI package containing a legitimate, signed GoToMeeting executable (G2MStart.exe). Threat actors perform DLL side-loading to inject Remcos RAT or GhostLoader.
  • Behavior: Provides full remote control, keylogging, and evasion via signed binaries.

CloudZ RAT & Pheno Plugin (OTP Theft)

  • Vector: Exploits Microsoft Phone Link (Your Phone) application on Windows.
  • Mechanism: The Pheno plugin intercepts synchronized mobile data (SMS and notifications) to steal One-Time Passwords (OTPs) without infecting the phone itself.
  • Evasion: Uses dynamic memory manipulation to evade signature-based detection.

IOC Analysis

Indicator Types:

  • File Hashes: A high volume of MD5, SHA1, and SHA256 hashes are provided for the GoLang payloads (GhostSocks), MSI installers (Remcos), and CloudZ binaries. These should be prioritized for EDR quarantine and historical hunting.
  • Domains/Hostnames: C2 infrastructure includes retreaw.click and w2.bruggebogeyed.site (GhostSocks), and dropras.xyz, trackpipe.dev (Remcos).
  • IPv4: 185.196.10.136 is associated with CloudZ RAT C2 activity.

Operational Guidance: SOC teams should immediately block the listed domains and IPs at the perimeter and proxy levels. File hashes should be uploaded to EDR solutions to hunt for execution history. Given the use of TLS encryption by GhostSocks, network detection relies heavily on IoC-based blocking rather than deep packet inspection.

Detection Engineering

Sigma Rules

YAML
title: Potential GhostSocks Proxy C2 Connection
id: 0a1b2c3d-4e5f-6789-0abc-1def23456789
description: Detects network connections to known GhostSocks C2 domains and infrastructure indicators.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'retreaw.click'
            - 'bruggebogeyed.site'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.defense_evasion

---

title: Suspicious PowerShell MSI Download (OpenClaw/Remcos Vector)
id: 1a2b3c4d-5e6f-7890-bcde-1f234567890a
description: Detects PowerShell commands downloading MSI packages, a technique used in the OpenClaw DeepSeek-Claw attack to deliver Remcos RAT.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_download:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadFile'
    selection_msi:
        CommandLine|contains: '.msi'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation scripts
level: high
tags:
    - attack.initial_access
    - attack.execution

---

title: CloudZ RAT C2 IP Connection
id: 2b3c4d5e-6f78-9012-cdef-234567890abc
description: Detects connections to the IPv4 address associated with CloudZ RAT and Pheno plugin activity.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp|startswith: '185.196.10.136'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.exfiltration

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for GhostSocks and Remcos C2 Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("retreaw.click", "bruggebogeyed.site", "dropras.xyz", "trackpipe.dev")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for CloudZ RAT IP Connection
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP == "185.196.10.136"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort

// Hunt for Suspicious MSI Downloads via PowerShell (OpenClaw Vector)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "powershell.exe"
| where ProcessCommandLine has ".msi" and (ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "DownloadFile")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for GhostSocks, Remcos, and CloudZ artifacts.
.DESCRIPTION
    Checks DNS Cache for malicious domains and Active TCP connections for CloudZ C2 IP.
#>

Write-Host "[*] Starting OTX Pulse Hunt: GhostSocks / Remcos / CloudZ..." -ForegroundColor Cyan

$MaliciousDomains = @(
    "retreaw.click",
    "w2.bruggebogeyed.site",
    "dropras.xyz",
    "trackpipe.dev"
)
$MaliciousIP = "185.196.10.136"

# Check DNS Cache for C2 Domains
Write-Host "[*] Checking DNS Cache for GhostSocks/Remcos C2 Domains..."
$DnsCache = Get-DnsClientCache
foreach ($Domain in $MaliciousDomains) {
    $Matches = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
    if ($Matches) {
        Write-Host "[!] ALERT: Found DNS Cache entry for $Domain" -ForegroundColor Red
        $Matches | Select-Object Entry, Data, TimeToLive
    }
}

# Check Active Network Connections for CloudZ IP
Write-Host "[*] Checking Active Connections for CloudZ C2 IP ($MaliciousIP)..."
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
$Matches = $Connections | Where-Object { $_.RemoteAddress -eq $MaliciousIP }
if ($Matches) {
    Write-Host "[!] ALERT: Found active connection to CloudZ C2 IP $MaliciousIP" -ForegroundColor Red
    $Matches | Select-Object LocalPort, RemotePort, OwningProcess
    # Resolve Process Name
    $Matches | ForEach-Object { Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue | Select-Object ProcessName, Path }
} else {
    Write-Host "[-] No active connections found to $MaliciousIP." -ForegroundColor Green
}

Write-Host "[*] Hunt Complete."


---

Response Priorities

  • Immediate:

    • Block all listed IOCs (Domains, IPs, File Hashes) at the firewall, proxy, and EDR levels.
    • Isolate endpoints with positive hits for the provided file hashes or network connections.

  • 24 Hours:

    • Hunt for historical evidence of PowerShell scripts downloading .msi files (OpenClaw vector).
    • If CloudZ is suspected, initiate identity verification checks for accounts accessed from compromised endpoints due to potential OTP interception.

  • 1 Week:

    • Review policies regarding the use of AI frameworks and agent tools in development environments to prevent supply chain poisoning via skills like "DeepSeek-Claw".
    • Assess the business necessity of Microsoft Phone Link and restrict access for high-privilege accounts to mitigate CloudZ/Pheno OTP theft risks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareghostsocksremcos-ratcloudz-ratpheno-pluginai-threats

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action