Antonio Piazzolla : 4 October 2025 12:48
The story of SoopSocks is one we, unfortunately, know well: a PyPI package that promises utility — a SOCKS5 proxy — but in reality introduces a well-orchestrated malicious implementation .
We’re not talking about your average improvised script; SoopSocks is built with a chain of actions designed to achieve persistence, reduce noise, and establish a stable command/control channel. The package has been published to PyPI (Python Package Index) , the official Python package registry.
The deceptive package, dubbed ” soopsocks ,” had 2,653 downloads before being removed. It was first uploaded by a user named “soodalpie” on September 26, 2025, the same date the account was created.
This combination is designed to maximize success rates: compiled components for execution, scripts for integration, and native mechanisms for persistence. The result is a package that functions as a “utility” while simultaneously establishing a remote base.
SoopSocks disguised itself as a Python library, security researchers report , to provide a SOCKS5 proxy. In reality, it implemented a small, persistent backdoor setup on Windows: it installed itself as a service, opened the appropriate firewall port, remained active across reboots, and periodically sent information out.
How to install: After installation, the package wasn’t limited to Python modules. In some versions, it also included a compiled executable (written in Go) and one or more orchestration scripts (PowerShell/VBScript). These components were used to:
Officially, it exposed a SOCKS5 proxy (typically on port 1080). Behind the scenes:
Many actions passed through legitimate Windows tools (PowerShell, Task Scheduler, firewall management). From a signature-only monitoring perspective, these operations might appear to be normal administrative tasks. Furthermore, by actually offering a “working” SOCKS5, the package lowered the suspicion threshold : those who tested it saw that it “did its job” and rarely checked the extra components.
SoopSocks combined useful functionality (the proxy) with well-known intrusion/persistence mechanics . This mix transformed a seemingly innocuous library into a remote foothold : a host that an attacker could use as a controllable proxy and from which to collect data, with a deliberately low network “noise” profile.
This strategy demonstrates a practical understanding of how corporate defense teams operate: attackers design their techniques to appear “normal” compared to their daily operational profile. Using development environments as a point of dissemination allows for the creation of persistence points for lateral movement. Furthermore, using internal/local repositories can preserve malicious versions even after they have been removed online, as they remain cached.
Without periodic testing and cleanup rules, development teams risk continuing to use them without realizing it.
SoopSocks hasn’t revolutionized the threat landscape, but it has shown how the combination of legitimate components and proven techniques can turn a library into a serious compromise vector. For organizations, the challenge isn’t just technical, but above all procedural: defending the software supply chain requires controls and procedures.