SprySOCKS malware expands from Linux to Windows, hits 4 govts

Key Takeaways

• ESET discovered Windows variants of SprySOCKS malware previously seen only on Linux systems
• The malware includes kernel-level rootkit capabilities to hide processes, files, and network connections
• Government organizations in Taiwan, Thailand, Pakistan, and Honduras were targeted between 2023 and 2024

The SprySOCKS malware family has jumped from Linux to Windows. ESET researchers found Windows variants of the backdoor used against government organizations in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024. The threat actor behind the campaign: Earth Lusca, a China-aligned cyber-espionage group also tracked as FishMonger, Aquatic Panda, and Red Dev 10.

This matters because SprySOCKS was previously documented only as a Linux threat. The Windows versions add kernel-level stealth that makes detection significantly harder. One variant can hide malware artifacts from standard administrative tools and redirect traffic through arbitrary TCP ports to mask command-and-control communications.

What can SprySOCKS do on Windows?

ESET identified two Windows variants: WIN_DRV and WIN_PLUS. Both share a core feature set that gives attackers extensive control over compromised systems.

• Communicate over TCP, UDP, and WebSocket protocols
• Support more than 30 distinct command-and-control instructions
• Collect system information and enumerate running processes
• Create, delete, copy, rename, and execute files
• Log keystrokes, clipboard content, and active window titles
• Function as a SOCKS proxy in both client and server modes

WIN_DRV is the more dangerous variant. It loads a kernel driver called RawWNPF directly into memory, enabling rootkit behavior that hides processes from Windows API calls, conceals network connections from tools like netstat, removes malicious files from directory listings, and masks registry keys used for persistence.

How does the malware stay hidden on the network?

The WIN_DRV variant includes a traffic diversion feature that inspects incoming TCP packets and redirects specially crafted ones to the SprySOCKS backdoor. Operators can send commands through any TCP port on the victim's device without exposing the backdoor's actual listening port in network traffic.

“The WIN_DRV version enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's real listening port in the network traffic.”

— ESET

The driver responsible for this stealth is loaded by another kernel driver called DriverLoader (fsdiskbit.sys), which is signed using a leaked certificate from the GitHub PastDSE project. Using a legitimate but compromised certificate helps the malware evade driver signature enforcement.

How does SprySOCKS persist after reboot?

The two variants use different persistence mechanisms. WIN_DRV relies on scheduled tasks and Image File Execution Options (IFEO) hijacking through vds.exe. WIN_PLUS takes a different approach, registering itself as a Windows Print Processor under the name VSPMsg.

ESET's telemetry also picked up signs of a UEFI bootkit component that may exploit CVE-2023-24932, a Secure Boot vulnerability previously used as a zero-day by the BlackLotus malware. However, the researchers stopped short of confirming a direct link, noting they lacked strong evidence.

Which countries were targeted?

ESET confirmed government organizations in four countries: Taiwan, Thailand, Pakistan, and Honduras. The targets align with Earth Lusca's documented interest in entities focused on foreign affairs, technology, and telecommunications. The geographic spread, including Central America, suggests the group is expanding beyond its traditional focus on the Asia-Pacific region.

Earth Lusca has operated since at least 2020. The group is known for targeting government ministries, universities, and telecommunications providers. Security researchers have previously linked it to campaigns against organizations in Hong Kong, the Philippines, Vietnam, and other countries.

What are security teams saying?

Discussion on r/netsec and Hacker News has focused on the group's "evolutionary" approach. The use of kernel-mode drivers to hide network connections from standard monitoring tools drew particular concern. Standard commands like netstat would show nothing unusual, even while the backdoor actively communicates with its operators.

Community experts noted the group's persistent focus on geopolitical targets. The inclusion of Honduras, a country not typically associated with Chinese cyber-espionage campaigns, raised questions about whether Earth Lusca is expanding its mandate or pursuing specific intelligence objectives in Central America.

ESET's report includes indicators of compromise and detailed technical analysis. Organizations concerned about exposure can use these to hunt for signs of infection in their environments.

Frequently Asked Questions

What is SprySOCKS malware?

SprySOCKS is a backdoor used by the China-linked Earth Lusca threat group. Originally a Linux threat, Windows variants with rootkit capabilities have now been discovered targeting government organizations.

Who is Earth Lusca?

Earth Lusca, also tracked as FishMonger, Aquatic Panda, and Red Dev 10, is a Chinese cyber-espionage group active since at least 2020. It targets government entities, universities, and telecommunications providers.

How does SprySOCKS hide from detection?

The WIN_DRV variant uses kernel drivers to hide processes, network connections, files, and registry keys from Windows API calls and standard administrative tools.

Which governments were targeted by SprySOCKS?

ESET confirmed attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024.

How can organizations detect SprySOCKS?

ESET published indicators of compromise in their technical report. Organizations should use EDR solutions that monitor kernel-level activity and flag anomalous driver loading.

Source: BleepingComputer