Threat actors are abusing GSocket, a legitimate open-source tunneling utility, to establish encrypted, firewall-traversing persistent backdoors on Linux systems (Ubuntu and derivatives) via bash-delivered scripts, with no CVE applicable since the tool itself is not malicious. The attack is living-off-the-land in nature, meaning signature-based detection will not flag the GSocket binary; detection must focus on process and behavioral indicators including gs-netcat/gs-sftp spawned from bash or wget, cron persistence artifacts, and outbound TCP sessions to gsrn.io or gsocket.io. Organizations should immediately scan Linux endpoints for unauthorized GSocket installations in non-standard paths, review all cron and systemd entries for unknown scheduled tasks, and implement egress filtering to restrict connections to the GSocket Global Socket Relay Network.