GSocket
GSocket is the Global Socket Toolkit, a peer-to-peer proxying and tunneling/backdoor utility that enables TCP connectivity through NAT and firewalls using end-to-end encryption and a relay network (GSRN). In the provided reporting it is repeatedly used post-compromise on Linux and server targets to establish persistent, covert remote access and encrypted communications, often masquerading as kernel-like processes.
Observed malicious use cases include deployment on compromised Adobe Commerce/Magento servers following exploitation of CosmicSting (CVE-2024-34102), sometimes chained with CNEXT (CVE-2024-2961), where attackers dropped ~/.config/htop/defunct and ~/.config/htop/defunct.dat, used the secret in defunct.dat with the -k option, and launched gsocket with -liqD to provide a quiet interactive daemonized shell. Persistence was maintained via cron, and observed masqueraded process names included [raid5wq], [kswapd0], [slub_flushwq], [card0-crtc8], and [netns]. In that campaign, GSocket was used to maintain covert access while attackers injected JavaScript into Magento store headers to steal payment data via attacker-controlled WebSocket infrastructure. Reported related IOCs include file paths .config/htop/defunct and .config/htop/defunct.dat and IPs 5.231.182.98, 45.10.160.45, and 193.93.193.74.
Cisco Talos also observed gsocket in post-compromise activity against unpatched Cisco Catalyst SD-WAN Manager environments during exploitation of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. In one cluster, attackers deployed gsocket using a Base58-decoded peer ID from defunct.dat alongside an XMRig Monero miner activated through the .profile file.
Elastic Security Labs reported attackers using GSOCKET for encrypted communications in a March 2024 Linux server campaign that exploited Apache2 for arbitrary code execution and deployed KAIJI and RUDEDEVIL/LUFICER; GSOCKET-related processes were disguised as kernel processes, with persistence also maintained through cron jobs, PHP payloads, and systemd services. Cyble additionally reported ShadowHS abusing GSocket user-space tunnels (gs-dbus and gs-netcat) to replace rsync transport for covert staging and exfiltration, routing through a hardcoded rendezvous endpoint 62.171.153[.]47. Separate reporting also states attackers install a GSocket backdoor on compromised WordPress/PHP servers used to host gambling content, and that the technique is commonly abused by threat actors leveraging The Hacker’s Choice toolkit.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The binary file dropped in ~/.config/htop/defunct is identified as gsocket. The Global Socket Toolkit facilitates peer-to-peer TCP connections, even through NAT/Firewalls, using end-to-end encryption and a relay network.
The binary file dropped in ~/.config/htop/defunct is identified as gsocket. The Global Socket Toolkit facilitates peer-to-peer TCP connections, even through NAT/Firewalls, using end-to-end encryption and a relay network.
Cisco Talos said it observed multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA's KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems.
Cisco Talos said it observed multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA's KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems.
Cisco Talos said it observed multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA's KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Lateral Movement
2 techniques
Lateral Movement
SSH from Workstation B to Workstation A through any firewall/NAT $ gsocket /usr/sbin/sshd # Workstation A $ gsocket ssh root@gsocket # Workstation B
Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device.
Command and Control
5 techniques
Command and Control
The filename was “systemd-resolved” and the agent’s command and control (C2) is “194[.]163[.]175[.]135:4445” ... The Sliver sample’s C2 is “mtls://23.27.143[.]170:443” ... an RSA public key to be used by the agent to communicate with the C2 hosted on “hxxp://13[.]62[.]52[.]206:5004”.
Access entirety of Workstation A's private LAN (Sock4/4a/5 proxy) $ gs-netcat -l -S # Workstation A (EXIT) $ gs-netcat -p 1080 # Workstation B
Uses the Global Socket Relay Network to connect TCP pipes... Once connected the library then negotiates a secure TLS connection(End-2-End).
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A peer-based proxying and tunneling tool used post-compromise to relay communications through the Global Socket Relay Network.
A tool from the THC toolkit referenced as being deployed with process masquerading techniques such as kernel-process-style naming.
Legitimate user-space tunneling utility abused to create covert channels for data staging/exfiltration (here, used as rsync transport to evade typical network monitoring and firewall/egress controls).
GSocket is a backdoor installed on compromised servers, allowing attackers persistent access and the ability to host malicious content, such as fraudulent gambling sites. It is used as part of a large-scale infrastructure for both financial fraud and potentially nation-state cyber operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.