Earth Lusca Used Windows SprySOCKS Malware to Target Government Organizations

Security researchers have uncovered Windows variants of the SprySOCKS malware that were used in attacks against government organizations across multiple countries. The malware, linked to the China-aligned threat group Earth Lusca, targeted government entities in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024.

According to a new report from ESET, the Windows versions significantly expand the capabilities of the previously known Linux-based SprySOCKS malware. The attacks primarily focused on organizations involved in foreign affairs, technology, and telecommunications.

Two Windows Variants Identified

ESET identified two distinct Windows versions of the malware, named WIN_DRV and WIN_PLUS.

WIN_DRV is the more advanced variant and includes kernel-level components that provide rootkit-like functionality. WIN_PLUS operates as a simpler backdoor but still offers extensive remote access capabilities.

Both versions support communication over TCP, UDP, and WebSocket protocols and include more than 30 command-and-control functions. Attackers can use the malware to collect system information, manage processes and services, and perform a wide range of file operations.

The malware can list, create, delete, upload, download, copy, rename, and execute files. It also includes SOCKS proxy functionality, allowing compromised systems to act as network relays.

Advanced Stealth Features

The most notable addition in the Windows variants is the introduction of kernel-level stealth mechanisms.

WIN_DRV loads a driver called RawWNPF directly into memory through another kernel driver known as DriverLoader, or fsdiskbit.sys. Researchers found that DriverLoader was signed using a leaked certificate associated with the GitHub PastDSE project.

Once active, the driver enables the malware to hide processes, files, Registry entries, and network connections from security tools and system administrators.

The malware also includes surveillance features capable of recording keystrokes, capturing clipboard data, and monitoring active window titles.

Persistence and Covert Communications

WIN_DRV establishes persistence using scheduled tasks and Image File Execution Options tied to vds.exe. Meanwhile, WIN_PLUS achieves persistence by registering itself as a Windows Print Processor named VSPMsg.

Researchers also discovered a covert networking feature within WIN_DRV. The malware can inspect incoming TCP traffic and redirect specially crafted packets to the backdoor, allowing attackers to communicate through random TCP ports without exposing the malware’s actual listening port.

This technique makes detection significantly more difficult and helps conceal malicious activity on compromised systems.

Possible UEFI Component Discovered

ESET’s investigation also uncovered telemetry that suggests Earth Lusca may be experimenting with a UEFI bootkit component. While researchers did not confirm the existence of a fully deployed bootkit, the findings indicate ongoing efforts to expand the group’s persistence and stealth capabilities.

The report includes detailed technical analysis and indicators of compromise that organizations can use to identify and mitigate infections.

In related security developments, researchers recently disclosed attacks involving Backdoor.Turn malware delivered through Microsoft Teams, while a separate Microsoft 365 Copilot SearchLeak vulnerability was found capable of exposing sensitive enterprise data.

Via BleepingComputer