Malicious PyPI Package Mimics as SOCKS5 Proxy Tool Attacking Windows Platforms

A sophisticated malicious package has infiltrated the Python Package Index (PyPI), masquerading as a legitimate SOCKS5 proxy tool while harboring backdoor capabilities that target Windows systems.

The SoopSocks package, tracked as XRAY-725599, presents itself as a benign networking utility that creates SOCKS5 proxy services and reports server information to configurable Discord webhooks.

However, beneath this facade lies a complex multi-stage attack framework designed to establish persistent backdoor access on compromised Windows machines.

The malware demonstrates remarkable evolution across its version history, progressing from basic SOCKS5 implementations in versions 0.1.0 through 0.1.2 to sophisticated deployment mechanisms incorporating Windows service integration, VBScript installers, and compiled Go executables.

This progression indicates deliberate development aimed at enhancing stealth capabilities and bypassing security controls through automated installation processes that leverage both VBScript and executable deployment vectors.

JFrog Security Research analysts identified the malicious package during their routine monitoring of open-source repositories, recognizing suspicious behaviors that warranted deeper investigation.

The package’s deceptive nature lies in its functional SOCKS5 proxy capabilities, which provide legitimate functionality while simultaneously establishing covert communication channels and persistent access mechanisms.

The primary threat emerges from the package’s ability to install itself as a Windows service with elevated privileges, automatically configure firewall rules, and maintain continuous communication with command and control infrastructure.

The malware employs multiple persistence mechanisms including scheduled tasks, Windows services, and automatic startup configurations, ensuring survival across system reboots and user sessions.

Stealth Installation and Persistence Mechanisms

The current iteration of SoopSocks employs a sophisticated installation mechanism centered around the _autorun.exe executable, a PE32+ binary compiled from Go source code that orchestrates the entire deployment process with minimal user interaction.

This executable utilizes PowerShell as its primary orchestration mechanism while implementing multiple evasion techniques designed to avoid detection and user visibility.

The installation process begins when the executable launches PowerShell with carefully crafted parameters that bypass standard security controls and logging mechanisms.

The malware sets the execution policy to Bypass, skips profile loading to avoid detection hooks, suppresses error output to prevent user alerts, and hides interactive prompts throughout the installation sequence.

This configuration allows the malware to execute multiple deployment stages without triggering user notifications or administrator alerts.

powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden

Once operational, the malware copies itself to C:\Program Files\socks5svc\socks5svc.exe and establishes persistence through Windows service installation using the Go service library github.com/kardianos/service.

The service, named SoopSocksSvc, configures automatic startup with elevated permissions, ensuring continued operation across system restarts.

Additionally, the malware implements a fallback mechanism through scheduled tasks named SoopSocksAuto that trigger on system startup and user logon events.

The persistence strategy extends beyond service installation to include automatic firewall rule configuration that opens inbound TCP and UDP communications on port 1080.

These rules, designated as “SoopSocks TCP 1080” and “SoopSocks UDP 1080,” facilitate the SOCKS5 proxy functionality while providing attackers with unrestricted network access through the compromised system.

The malware’s ability to automatically escalate privileges through UAC bypass mechanisms ensures successful deployment even on systems with standard user accounts, representing a significant security concern for organizational environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.