Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

SoopSocks: The PyPI Package That Looked Like a Proxy But Was a Backdoor to Windows

Antonio Piazzolla : 4 October 2025 12:48

The story of SoopSocks is one we, unfortunately, know well: a PyPI package that promises utility — a SOCKS5 proxy — but in reality introduces a well-orchestrated malicious implementation .

We’re not talking about your average improvised script; SoopSocks is built with a chain of actions designed to achieve persistence, reduce noise, and establish a stable command/control channel. The package has been published to PyPI (Python Package Index) , the official Python package registry.

The deceptive package, dubbed ” soopsocks ,” had 2,653 downloads before being removed. It was first uploaded by a user named “soodalpie” on September 26, 2025, the same date the account was created.

This combination is designed to maximize success rates: compiled components for execution, scripts for integration, and native mechanisms for persistence. The result is a package that functions as a “utility” while simultaneously establishing a remote base.

Attacker’s strategy: stealth and reliability

SoopSocks disguised itself as a Python library, security researchers report , to provide a SOCKS5 proxy. In reality, it implemented a small, persistent backdoor setup on Windows: it installed itself as a service, opened the appropriate firewall port, remained active across reboots, and periodically sent information out.

How to install: After installation, the package wasn’t limited to Python modules. In some versions, it also included a compiled executable (written in Go) and one or more orchestration scripts (PowerShell/VBScript). These components were used to:

  • install a Windows service that starts automatically (so it restarts at every boot);
  • have a persistence plan B in place via a scheduled task, if service creation fails;
  • Run PowerShell commands in “silent” mode (bypassing execution policies and reducing on-screen messages) to configure yourself and stay under the radar.

What does it do once active?

Officially, it exposed a SOCKS5 proxy (typically on port 1080). Behind the scenes:

  • added firewall rules to open the proxy port, so incoming traffic wasn’t blocked;
  • maintained persistence (service + task) so as to survive reboots or incomplete “cleanup” attempts;
  • It ran low-profile telemetry : at regular intervals, it collected information about the machine (host name, system version, network configuration and status, IP addresses) and sent it out using common channels (HTTPS), usually in small, frequent packets so as not to attract attention.

Because it’s hard to notice

Many actions passed through legitimate Windows tools (PowerShell, Task Scheduler, firewall management). From a signature-only monitoring perspective, these operations might appear to be normal administrative tasks. Furthermore, by actually offering a “working” SOCKS5, the package lowered the suspicion threshold : those who tested it saw that it “did its job” and rarely checked the extra components.

The key point

SoopSocks combined useful functionality (the proxy) with well-known intrusion/persistence mechanics . This mix transformed a seemingly innocuous library into a remote foothold : a host that an attacker could use as a controllable proxy and from which to collect data, with a deliberately low network “noise” profile.

This strategy demonstrates a practical understanding of how corporate defense teams operate: attackers design their techniques to appear “normal” compared to their daily operational profile. Using development environments as a point of dissemination allows for the creation of persistence points for lateral movement. Furthermore, using internal/local repositories can preserve malicious versions even after they have been removed online, as they remain cached.
Without periodic testing and cleanup rules, development teams risk continuing to use them without realizing it.

SoopSocks hasn’t revolutionized the threat landscape, but it has shown how the combination of legitimate components and proven techniques can turn a library into a serious compromise vector. For organizations, the challenge isn’t just technical, but above all procedural: defending the software supply chain requires controls and procedures.

Antonio Piazzolla
IT Infrastructure & Security Manager with more than 20 years of experience in complex business environments. In the Casillo Group, he deals with business continuity, security and innovation. Microsoft, VMware, Cisco and ITIL certified.

Lista degli articoli