Executive Summary
STORESOCKS is an ongoing proxy campaign hiding a Go backconnect implant inside signed, trojanized Microsoft Store utility apps. Detection and IOCs inside.
hexastrike.com
Microsoft App Store publisher continues hosting undisclosed proxyware: StoreSocks proxyware campaign analysis and updates.
blog.lukeacha.com
Hexastrike uncovered an ongoing backconnect proxy campaign distributed through trojanized Microsoft Store applications. We track this activity as
STORESOCKS.
Since at least October 2025, an unknown actor has published trojanized free utility applications to the Microsoft Store. The applications impersonate common desktop tools, including WinDirStat, Lightshot, screen recorders, memory cleaners, and auto-clickers. They are not broken decoys or simple launchers. Each analyzed Store package contains a working Electron-based utility interface that matches the advertised purpose of the application. In the background, the same application loads a native Go DLL through a Node FFI bridge and enrolls the victim host as a TCP and UDP proxy node.
The delivery path is central to the campaign. The applications are packaged as MSIX and are validly signed through Microsoft’s Store signing pipeline. This gives the packages a trust signal that many users and organizations associate with safer software distribution. The malicious behavior is not introduced by an unsigned installer or a visible second-stage dropper. It is bundled inside the Store-delivered package and executed by the packaged application itself.
The payload is a Go backconnect proxy. It registers the victim host with helper servers, receives relay instructions, establishes encrypted relay sessions, and tunnels proxy streams through the victim system. The recovered protocol supports SOCKS5-style target addressing for IPv4, domain names, and IPv6. The implant supports both TCP and UDP proxying.
The campaign has evolved across multiple waves. Earlier Store packages used client.dll and the Node FFI library koffi. The live June 2026 wave uses telemetry.dll or lib3Z7.dll, switches to @yuuang/ffi-rs, and inflates the payload size to approximately 68 MB. Hexastrike assesses that the live payloads contain the same backconnect module re-hosted inside a larger Go application tree associated with Gogs, an open-source Git service. This changes how the binary presents itself to tooling and makes simple provenance checks less reliable.
At the time of analysis on 27 June 2026, earlier Store listings had already been removed. The campaign was still active. Hexastrike confirmed at least four armed Microsoft Store applications across two seller accounts live on 27 June 2026.