THREATOPS
THREAT OPSThreat News › ghostsurf: From NTLM Relay to Browser Session Hijacking

ghostsurf: From NTLM Relay to Browser Session Hijacking

lowspecteropsPublished 2026-04-02

<p class="wp-block-paragraph"><em><strong>TL;DR:</strong> <code>ntlmrelayx</code>&#8216;s SOCKS proxy works great for SMB and MSSQL but fails when you try to browse a web application through it &#8211; I dug into why, found several fundamental issues with how it handles HTTP, built <code>ghostsurf</code> to fix them, and along the way, discovered (and circumvented) some undocumented Windows kernel

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://specterops.io/blog/2026/04/02/ghostsurf-from-ntlm-relay-to-browser-session-hijacking/