Back to Intelligence

MioLab Stealer, GhostSocks Proxy & CloudZ RAT: Multi-Vector Malware Campaign Analysis

SA
Security Arsenal Team
May 5, 2026
6 min read

The latest OTX pulses indicate a surge in sophisticated Malware-as-a-Service (MaaS) operations targeting both macOS and Windows ecosystems. The intelligence highlights three distinct but concerning threads: the expansion of MioLab (a macOS stealer empire), the proliferation of GhostSocks (a GoLang-based residential proxy botnet), and the emergence of CloudZ RAT utilizing the undocumented "Pheno" plugin to bypass MFA via Microsoft Phone Link.

Collectively, these campaigns represent a shift toward specialized, high-value data theft (cryptocurrency, cookies) and infrastructure abuse (residential proxies) sold primarily on Russian-speaking underground forums. The common objective is financial monetization through direct asset theft or the sale of network access to other threat actors.

Threat Actor / Malware Profile

1. MioLab (aka Nova)

  • Type: macOS Stealer (MaaS)
  • Distribution: Advertised heavily on Russian forums; utilizes "ClickFix" social engineering tactics to trick users into executing malicious payloads.
  • Payload Behavior: Extensive data exfiltration targeting browser credentials, cookies, and autocomplete data. Distinctive capability to target over 200 browser extensions and 50+ desktop cryptocurrency wallets.
  • C2 Communication: Communicates with C2 servers hosted on bulletproof hosting infrastructure.

2. GhostSocks

  • Type: Residential Proxy Botnet / Backdoor
  • Distribution: Marketed as MaaS on underground forums; often distributed via cracks/keygens or bundled with other stealers (noted partnership with Lumma Stealer).
  • Payload Behavior: Written in GoLang. Turns compromised devices into SOCKS5 proxy nodes. Uses TLS encryption to blend malicious traffic with normal web traffic, aiding C2 evasion.
  • Targeting: Initially observed targeting the Education sector, likely due to high bandwidth availability.

3. CloudZ RAT (Pheno Plugin)

  • Type: Remote Access Trojan / Infostealer
  • Distribution: Unknown (likely phishing or drive-by).
  • Payload Behavior: The core RAT is enhanced by the "Pheno" plugin, which specifically targets the Microsoft Phone Link application. It intercepts synchronized mobile data (SMS and OTPs) from the linked phone without infecting the mobile device itself.
  • Persistence/Evasion: Uses dynamic memory allocation to evade static detection and bypasses MFA by intercepting the OTP token as it syncs to the compromised PC.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators essential for detection:

  • Domains & Hostnames: A list of suspicious domains (e.g., mioisiskwowiwjowuwjwolab.club, retreaw.click) serve as C2 infrastructure. SOC teams should immediately block these at the firewall and DNS layer.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes are provided for the payloads of GhostSocks and CloudZ. These should be added to EDR blocklists and used to scan historical endpoints.
  • IPv4: 185.196.10.136 is identified as a C2 node for CloudZ.

Operationalization:

  • Tooling: Use SIEM (Splunk, Sentinel) to correlate network logs against domains/IPs. Use EDR (CrowdStrike, SentinelOne) to hunt for file hashes and process execution patterns.
  • Decoding: The domains in the MioLab pulse appear to use DGA (Domain Generation Algorithm) patterns or randomized strings to bypass static filters; therefore, regex-based domain blocking may be less effective than IP-based blocking or certificate reputation analysis.

Detection Engineering

YAML
title: Potential CloudZ RAT C2 Activity
id: 5d7f8a9b-c3e2-4f1a-9b5d-6e7f8a9b0c1d
description: Detects network connections to known CloudZ RAT C2 infrastructure based on OTX Pulse data.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/665555555555
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp|startswith: '185.196.10.136'
    condition: selection
falsepositives:
    - Legitimate connection to the IP (unlikely given context)
level: critical
tags:
    - attack.command_and_control
    - attack.t1071
---
title: MioLab MacOS Stealer DNS Queries
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects DNS queries for domains associated with the MioLab MacOS Stealer campaign.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666666666666
logsource:
    product: macos
    category: dns_query
detection:
    selection_domains:
        query|contains:
            - 'mioisiskwowiwjowuwjwolab.club'
            - 'marinemember.com'
            - 'officerelaxation.com'
            - 'zynce.org'
    condition: selection_domains
falsepositives:
    - Rare, these domains appear specific to the campaign
level: high
tags:
    - attack.exfiltration
    - attack.t1041
---
title: GhostSocks Proxy C2 Connection
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects attempts to connect to GhostSocks C2 domains or suspicious SOCKS proxy ports.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/677777777777
logsource:
    category: network_connection
detection:
    selection_domains:
        DestinationHostname|contains:
            - 'retreaw.click'
            - 'bruggebogeyed.site'
    selection_socks:
        DestinationPort: 1080
    condition: 1 of selection*
falsepositives:
    - Legitimate SOCKS proxy usage (corporate proxies)
level: medium
tags:
    - attack.command_and_control
    - attack.t1090


kql
// Hunt for GhostSocks and CloudZ Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("retreaw.click", "bruggebogeyed.site", "mioisiskwowiwjowuwjwolab.club", "marinemember.com", "officerelaxation.com") 
   or RemoteIP == "185.196.10.136"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// Hunt for Malicious File Hashes (CloudZ & GhostSocks)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1",
    "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
) or MD5 in ("2422f04227fa86a149aed35d82f9a7fc", "a39299719bb4151c373a0e9b92b2bd05")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName


powershell
<#
.SYNOPSIS
    IOCs Hunt Script for MioLab, GhostSocks, and CloudZ
.DESCRIPTION
    Checks for known malicious file hashes and network connections on Windows endpoints.
#>

$MaliciousHashes = @(
    "2422f04227fa86a149aed35d82f9a7fc",
    "a39299719bb4151c373a0e9b92b2bd05",
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54",
    "59312a8d6663c9a404d0b5aa96b70be3946592e5c5489366e04114b11a722fa1",
    "fab6525bf6e77249b74736cb74501a9491109dc7950688b3ae898354eb920413"
)

$C2Domains = @(
    "retreaw.click",
    "bruggebogeyed.site",
    "mioisiskwowiwjowuwjwolab.club",
    "marinemember.com",
    "officerelaxation.com",
    "zynce.org"
)

$C2IP = "185.196.10.136"

Write-Host "Checking for active network connections to C2 Infrastructure..."
$netConnections = Get-NetTCPConnection -State Established
foreach ($conn in $netConnections) {
    $remoteIP = (Resolve-DnsName -Name $conn.RemoteAddress -ErrorAction SilentlyContinue).NameHost
    if ($C2Domains -contains $remoteIP -or $conn.RemoteAddress -eq $C2IP) {
        Write-Host "[ALERT] Suspicious connection found to: $($conn.RemoteAddress) ($remoteIP) - PID: $($conn.OwningProcess)" -ForegroundColor Red
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "   Process: $($process.ProcessName) - Path: $($process.Path)"
    }
}

Write-Host "Scanning for known malicious file hashes in common directories..."
$paths = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:TEMP", "C:\ProgramData")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "Scan complete."


# Response Priorities

*   **Immediate (0-4 hours):**
    *   Block all listed IOCs (Domains `retreaw.click`, `mioisiskwowiwjowuwjwolab.club`, etc., and IP `185.196.10.136`) at perimeter firewalls and proxies.
    *   Initiate a hunt for the provided file hashes across all endpoints using EDR.

*   **24 Hours:**
    *   If GhostSocks or MioLab indicators are found, reset credentials and rotate cryptocurrency wallet seeds for affected users.
    *   Verify if any corporate assets have been communicating with the CloudZ C2 IP; if so, treat as a full incident involving potential OTP compromise.

*   **1 Week:**
    *   Review policies regarding Microsoft Phone Link. Consider disabling the application for user profiles that do not require it to prevent the CloudZ/Pheno attack vector.
    *   Update application control policies to block unsigned GoLang executables in user directories to mitigate GhostSocks variants.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaremiolab-stealerghostsockscloudz-ratmacos-malwareotp-interception

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action