Windows Version of SprySOCKS Linux Malware Used to Attack Govt Orgs

SprySOCKS first appeared as a Linux‑only backdoor used by the Chinese‑state‑aligned APT known as Earth Lusca, also tracked under aliases FishMonger, Aquatic Panda and TAG‑22. The recent ESET report shows the group repurposing the codebase for Windows, delivering the payload to ministries of foreign affairs, technology and telecommunications across four countries. This cross‑platform shift mirrors a broader trend among sophisticated threat actors who adapt proven tools to evade defenses that are often siloed by operating system. By leveraging the same SOCKS proxy functionality, the attackers maintain a familiar command‑and‑control framework while expanding their reach.

WIN_DRV introduces a kernel driver chain that loads a leaked GitHub‑signed driver, RawWNPF, via a secondary driver called DriverLoader. This enables rootkit‑style capabilities such as hiding processes, network sockets and registry keys, effectively erasing the malware’s footprint from standard system utilities. WIN_PLUS, while lighter, persists by masquerading as a Windows Print Processor (VSPMsg) and can also schedule tasks through Image File Execution Options. Both variants support TCP, UDP and WebSocket channels, over 30 C2 commands, file manipulation, keystroke logging and full SOCKS proxy operation, giving operators a versatile espionage platform on Windows hosts.

The appearance of a Windows‑compatible SprySOCKS raises the detection bar for security teams, as traditional Linux‑focused signatures will miss the new rootkit behavior. Analysts must monitor for the leaked PastDSE certificate, the fsdiskbit.sys driver, and the characteristic TCP‑diversion pattern that disguises back‑channel traffic. Governments should reinforce endpoint protection, enforce strict driver signing policies, and deploy network‑level anomaly detection to spot unexpected SOCKS proxy activity. As Earth Lusca continues to diversify its toolkit, the incident underscores the need for unified, cross‑platform threat‑intelligence sharing across allied nations.