[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA7BRi4XB1nNogRioSQ--kJU2RCQ1Yot87Ix1ZoeeQC4":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":33},"20fc5d08-41b3-4c2e-83e4-99ba398cd861","Windows version of SprySOCKS Linux malware used to attack govt orgs","windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs-cd2f44","Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries. [...]","The Chinese threat group Earth Lusca, also known as FishMonger, has expanded its operations by deploying Windows variants of the SprySOCKS malware. These new variants, discovered by ESET, were used between 2023 and 2024 to target government organizations in Taiwan, Thailand, Pakistan, and Honduras. The Windows versions offer advanced stealth capabilities, including kernel-level rootkit features and traffic redirection to hide communication.","Windows variants of SprySOCKS malware used by Earth Lusca group against government orgs.","Windows version of SprySOCKS Linux malware used to attack govt orgs By Bill Toulas June 16, 2026 05:00 AM 0 Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries. SprySOCKS has been linked to the Chinese threat group ‘Earth Lusca,’ which deployed it in attacks against government entities focused on foreign affairs, technology, and telecommunications. Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras. ESET attributes the activity with high confidence to the Earth Lusca threat actor, which they track as ‘FishMonger’ (also ‘Aquatic Panda,’ ‘Red Dev 10,’ and TAG-22). Unlike the previously documented Linux version, the Windows variant adds kernel-level stealth capabilities allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS, a more barebones backdoor. Both variants offer the following capabilities: Communicate over TCP, UDP, and WebSocket Support more than 30 command-and-control (C2) commands Collect system information Enumerate and manage processes and services List, create, delete, upload, download, copy, rename, and execute files Support SOCKS proxy functionality Can operate as both a client and a server Log keystrokes, clipboard content, and active window titles The WIN_PLUS variant execution flowSource: ESET The WIN_DRV variant includes the additional functionality of loading a driver named ‘RawWNPF’ directly into memory. The driver is loaded from another kernel driver named ‘DriverLoader’ (fsdiskbit.sys) signed using a leaked certificate from the GitHub PastDSE project. The driver enables the malware to hide processes via Windows API manipulation, hide network connections, hide files from directory listings, and hide malicious Registry key entries it uses for persistence. Persistence is achieved via scheduled tasks and Image File Execution Options (IFEO) via vds.exe for WIN_DRV, and registering the payload as a Windows Print Processor (VSPMsg) for WIN_PLUS. Another observed feature allows inspecting incoming TCP traffic and redirecting specially crafted packets to the SprySOCKS backdoor. This enable communication without exposing the listening port. “The WIN_DRV version […] enables TCP traffic diversion allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor's real listening port in the network traffic,” ESET explains. The WIN_DRV execution flowSource: ESET ESET telemetry data also showed indications of a UEFI bootkit component that might exploit CVE-2023-24932, a Secure Boot flaw previously used as a zero-day by the BlackLotus UEFI malware. However, no further details or strong evidence were provided to support a link to BlackLotus. ESETS report provides a detailed technical analysis and indicators of compromise that could help organizations identify and protect against attacks using Windows versions of the SprySOCKS backdoor. Although these variants are not new, their diacovery indicates that Earth Lusca has expanded its arsenal to target a more riverse variety of systems. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Chinese hackers breach REDCap servers, steal medical researchChinese APT deploys new malware to keep access to hacked networksChinese hackers target telcos with new Linux, Windows malwareNew GopherWhisper APT group abuses Outlook, Slack, Discord for commsChinese hackers hijack auth flow, spy on isolated network for a decade","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwindows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F01\u002F06\u002Fchina.jpg","2026-06-16T09:00:00+00:00","2026-06-16T10:00:23.567653+00:00",8,[18,21,23,26],{"name":19,"type":20},"Earth Lusca","threat_actor",{"name":22,"type":20},"FishMonger",{"name":24,"type":25},"Windows","product",{"name":27,"type":25},"Linux","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":28,"icon":30,"name":31,"slug":32},null,"Threat Intelligence","threat-intelligence",[34,39],{"category":35},{"id":36,"icon":30,"name":37,"slug":38},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":40},{"id":41,"icon":30,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[45],{"type":46,"value":47,"context":48},"cve","CVE-2023-24932","Potential exploitation of Secure Boot flaw by UEFI bootkit component"]