Windows version of SprySOCKS Linux malware targets government agencies in multiple countries

At a glance:

• Chinese-linked threat group Earth Lusca deployed Windows variants of SprySOCKS Linux malware against government organizations in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024.
• The Windows variants (WIN_DRV and WIN_PLUS) feature kernel-level stealth capabilities, including rootkit functionality and TCP traffic redirection to hide C2 communications.
• Both variants support over 30 command-and-control commands, keylogging, clipboard monitoring, SOCKS proxy functionality, and file management operations.

Attack Campaign Details

ESET researchers discovered Windows variants of SprySOCKS that were actively used in attacks targeting government organizations across four countries. The campaigns ran between 2023 and 2024, focusing on entities involved in foreign affairs, technology, and telecommunications sectors. This marks a significant expansion of Earth Lusca's operational scope, as the group previously deployed only Linux versions of the malware.

The affected nations include Taiwan, Thailand, Pakistan, and Honduras, demonstrating a geographically diverse targeting pattern. While the specific objectives of each attack remain unclear, the consistent focus on government infrastructure suggests strategic intelligence-gathering operations rather than financially motivated cybercrime.

Technical Capabilities and Variants

The Windows variants split into two distinct implementations: WIN_DRV and WIN_PLUS. WIN_DRV incorporates kernel drivers for rootkit-like capabilities, while WIN_PLUS serves as a more streamlined backdoor. Both variants share core functionality including communication over TCP, UDP, and WebSocket protocols, support for more than 30 command-and-control commands, system information collection, and process/service management.

Additional shared capabilities include file operations (list, create, delete, upload, download, copy, rename, execute), SOCKS proxy functionality that allows the malware to operate as both client and server, and monitoring features for keystrokes, clipboard content, and active window titles. The WIN_DRV variant includes extra functionality through a driver named 'RawWNPF' loaded directly into memory from another kernel driver called 'DriverLoader' (fsdiskbit.sys).

Evasion Techniques and Persistence

The WIN_DRV variant employs sophisticated evasion methods using a driver signed with a leaked certificate from the GitHub PastDSE project. This enables process hiding through Windows API manipulation, network connection concealment, file hiding from directory listings, and Registry key entry masking for persistence mechanisms.

Persistence is achieved through multiple methods: scheduled tasks and Image File Execution Options (IFEO) via vds.exe for WIN_DRV, and registering the payload as a Windows Print Processor (VSPMsg) for WIN_PLUS. An additional observed feature allows inspecting incoming TCP traffic and redirecting specially crafted packets to the SprySOCKS backdoor, enabling communication without exposing the listening port in network traffic.

Threat Actor Attribution

ESET attributes this activity with high confidence to Earth Lusca, a Chinese threat group also tracked as 'FishMonger' (Aquatic Panda, Red Dev 10, TAG-22). The group has been increasingly active in deploying custom malware families against government targets, with SprySOCKS representing a sophisticated tool in their arsenal.

The discovery of Windows variants indicates Earth Lusca has expanded its targeting capabilities beyond Linux environments. This evolution reflects the group's adaptability and commitment to maintaining access across diverse operational environments, particularly in government sectors requiring long-term infiltration and data collection.

Potential UEFI Bootkit Connection

ESET telemetry data showed indications of a UEFI bootkit component that might exploit CVE-2023-24932, a Secure Boot flaw previously used as a zero-day by the BlackLotus UEFI malware. However, ESET noted that no further details or strong evidence were provided to support a definitive link to BlackLotus.

This potential connection highlights the advanced technical capabilities within Earth Lusca's toolkit, as UEFI-level persistence represents one of the most sophisticated attack vectors in modern cybersecurity. Such capabilities could allow attackers to maintain access even after operating system reinstallation.

Mitigation Recommendations

Organizations should implement comprehensive detection strategies including network monitoring for unusual TCP traffic patterns, behavioral analysis for suspicious driver loading, and endpoint detection for the specific indicators of compromise outlined in ESET's report. Given the sophisticated evasion techniques employed, traditional signature-based approaches may prove insufficient.

The use of signed drivers and legitimate Windows mechanisms for persistence underscores the need for enhanced privilege management and regular auditing of scheduled tasks, print processors, and Image File Execution Options. Security teams should also consider implementing application control policies and monitoring for unusual certificate usage patterns.

Broader Implications

The discovery of Windows variants for SprySOCKS demonstrates the evolving nature of state-sponsored malware development. Threat actors are increasingly cross-platform in their approach, adapting existing tools for multiple operating systems rather than developing entirely new malware families.

This trend suggests that organizations should maintain vigilance across all platforms in their environment, as attackers show willingness to extend successful campaigns to previously unaffected systems. The sophistication of the evasion techniques also indicates that Earth Lusca possesses significant technical resources and expertise in Windows internals.

ESET's report provides detailed technical analysis and indicators of compromise that organizations can use to identify and protect against SprySOCKS-based attacks. As cybersecurity continues to evolve, understanding these advanced persistent threat tactics remains crucial for defending critical infrastructure.