GSocket, a legitimate open-source tunneling tool, is being weaponized via malicious bash scripts to establish encrypted, firewall-bypassing backdoors on Linux hosts; the encrypted C2 channel (SRP-AES-256-CBC-SHA) blends into normal traffic and evades perimeter controls, making host-level detection the primary investigative surface. No CVE is assigned and no patch is applicable; remediation is detection and policy-driven. Organizations should audit all Linux hosts for unauthorized gs-netcat, gsocket, and gs-sftp binaries, block Deno and GSocket execution via application control where not approved, and query bash history for curl-pipe-bash delivery patterns.