Emerging ThreatsMalware & Ransomware

Earth Lusca Expands Arsenal with Windows SprySOCKS Malware

Analyst 207||Source: BleepingComputer
Government agency office interior with laptop, papers, and network diagram on wall.
“The WIN_DRV version […] enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor's real listening port in the network traffic,” ESET explains.

ESET links Windows SprySOCKS activity to Earth Lusca (FishMonger)

ESET researchers say they have found Windows variants of the SprySOCKS malware family that were used between 2023 and 2024 against government organizations in Taiwan, Thailand, Pakistan, and Honduras. The activity is attributed with high confidence to the Chinese-linked threat actor Earth Lusca, which ESET also tracks under the names ‘FishMonger,’ ‘Aquatic Panda,’ ‘Red Dev 10,’ and TAG-22. ESET published a detailed technical analysis and indicators of compromise intended to help organizations identify and protect against these attacks.

Two Windows variants: WIN_DRV and WIN_PLUS

The Windows deployments fall into two discrete variants. WIN_DRV contains kernel drivers that give the malware rootkit-like capabilities; WIN_PLUS is described as a more barebones backdoor. Both variants are capable of communicating over TCP, UDP, and WebSocket, support more than 30 command-and-control commands, and can operate as both a client and a server. Common functions across both include system-information collection; process and service enumeration and management; comprehensive file operations (list, create, delete, upload, download, copy, rename, execute); SOCKS proxy functionality; and logging of keystrokes, clipboard contents, and active window titles.

Kernel-level stealth, driver loading, and persistence mechanisms

WIN_DRV adds kernel-level stealth features by loading a driver named ‘RawWNPF’ directly into memory. That driver is loaded by another kernel driver called ‘DriverLoader’ (fsdiskbit.sys), which ESET says is signed using a leaked certificate from the GitHub PastDSE project. The loaded driver enables the malware to hide processes via Windows API manipulation, hide network connections, hide files from directory listings, and hide malicious Registry key entries used for persistence.

Persistence mechanisms differ by variant. For WIN_DRV, persistence is achieved via scheduled tasks and Image File Execution Options (IFEO) using vds.exe. WIN_PLUS registers the payload as a Windows Print Processor (VSPMsg) to maintain persistence.

TCP traffic diversion and covert command delivery

A notable feature observed by ESET inspects incoming TCP traffic and redirects specially crafted packets to the SprySOCKS backdoor. In practical terms, this allows operators to deliver commands through an arbitrary or random TCP port while keeping the backdoor’s true listening port hidden in network traffic. ESET’s quoted description frames this as deliberate TCP traffic diversion that conceals the backdoor’s real listening port from network visibility.

Telemetry hinting at a UEFI bootkit and the CVE-2023-24932 connection

ESET telemetry also showed indications of a UEFI bootkit component that might exploit CVE-2023-24932, a Secure Boot flaw previously used as a zero-day by other malware. ESET notes the telemetry but provided no further details or strong evidence to support a direct link to the earlier BlackLotus activity referenced in the advisory.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: ESET’s report includes detailed technical analysis and indicators of compromise that can be used to hunt for WIN_DRV and WIN_PLUS activity, including checks for the RawWNPF driver behavior, the signed DriverLoader (fsdiskbit.sys), IFEO and scheduled-task persistence, and the VSPMsg print-processor registration method.
  • Policymakers and regulators: The attribution to Earth Lusca/FishMonger and the cross-border targeting of government organizations in Taiwan, Thailand, Pakistan, and Honduras underline the transnational nature of the activity ESET describes and the potential value of sharing IOCs and telemetry among affected national CERTs and international partners.
  • Affected enterprises and procurement leaders: The discovery of Windows variants with kernel-level hiding and TCP diversion underscores the need to apply vendor guidance and threat-specific IOCs; ESET’s material is positioned as an immediate resource for detection and mitigation. The source also references a Picus whitepaper that shows how breach-and-attack simulation can test SIEM and EDR rules so threats stop slipping by detection.

ESET’s findings mark the Windows-stage evolution of a malware family previously seen on Linux and reveal operational choices — kernel drivers, signed loader components, TCP diversion and covert command channels, and print-processor persistence — designed to reduce network and host visibility. The report supplies actionable indicators and a technical map defenders can use now; one open thread in ESET’s telemetry is the hinted UEFI bootkit and its potential tie to CVE-2023-24932, where ESET offered suggestive telemetry but no firm linkage.

Read the original ESET-based coverage at BleepingComputer: https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/

ChinaEmerging ThreatsGovernmentNation-StateMalware OperationsAPTEarth LuscaWindows Sprysocks MalwareSprysocks
Related Intelligence

Continue Reading

Cluttered office desk with a Windows laptop, papers, and supplies, near a window with a blurred network router in the…

China-Linked SprySOCKS Backdoor Targets Windows with Driver-Based Stealth

ESET has uncovered a Windows variant of the SprySOCKS backdoor, previously thought to only affect Linux, marking a significant expansion of its capabilities. This new variant, version 1.8, uses driver-based stealth and can communicate through TCP, UDP, and WebSocket channels.

Analyst 207
Security device on a rack surrounded by networking equipment in a well-lit IT room.

Fortinet FortiSandbox Flaws Targeted by Attackers in Wide-Ranging Exploits

Cyber attackers are actively exploiting three high-severity Fortinet FortiSandbox vulnerabilities, CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, which were patched just last month and carry a near-critical CVSS score of 9.1. These flaws have been targeted in wide-ranging exploits over the past 24 hours, according to threat intelligence firm Defused Cyber.

Analyst 207
Blurred laptop screen showing Microsoft Teams on a plain surface with office supplies nearby.

Ransomware Gang Exploits Microsoft Teams to Conceal Malicious Traffic

Meet Backdoor.Turn, a sneaky new malware that's abusing Microsoft Teams to hide its malicious activities - and it's a game-changer for cyber threats. This clever RAT uses Teams' own infrastructure against us, making it harder to spot its secret communications.

Analyst 207
Blurred server room background with a prominent, illuminated network switch or router in sharp focus in the foreground.

Fortinet Flaws Exposed to Active Exploitation

Critical vulnerabilities in Fortinet's FortiSandbox platform are under active attack, with multiple flaws, including CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, being exploited by hackers just 24 hours after security updates were issued.

Analyst 207