Source linked

Earth Lusca Drops Kernel-Level Windows Malware on Govs in 4 Countries

bleepingcomputer.com@threat_watch3 hours ago·Cybersecurity·3 comments

ESET found Windows variants of SprySOCKS that hide drivers signed with a leaked certificate and divert TCP traffic to cloak C2 channels.

earth luscaesetsprysockswindows malwarekernel rootkitapt

The Chinese APT Earth Lusca - tracked as FishMonger, Aquatic Panda, Red Dev 10, or TAG-22 - now has a Windows version of its SprySOCKS backdoor, and it brings kernel-level stealth that engineers need to understand. ESET researchers found two variants, WIN_DRV and WIN_PLUS, deployed between 2023 and 2024 against government organizations in Taiwan, Thailand, Pakistan, and Honduras. The targets: foreign affairs, tech, and telecom bodies.

Kernel Driver Loading With a Leaked Certificate

WIN_DRV loads a driver named RawWNPF directly into memory via a separate kernel driver called DriverLoader (fsdiskbit.sys). That driver is signed using a leaked certificate from the GitHub PastDSE project - a known public bypass for Driver Signature Enforcement. Once loaded, RawWNPF hides processes via Windows API manipulation, conceals network connections, removes files from directory listings, and hides the malicious Registry keys used for persistence. Persistence itself relies on scheduled tasks and Image File Execution Options (IFEO) via vds.exe. WIN_PLUS takes a different route, registering the payload as a Windows Print Processor (VSPMsg).

TCP Traffic Diversion Hides Listening Ports

Both variants share a core toolbox: over 30 C2 commands, support for TCP, UDP, and WebSocket transport, full file and process management, SOCKS proxy (client and server modes), and keystroke, clipboard, and active-window logging. What sets WIN_DRV apart is its ability to inspect incoming TCP traffic on any port and redirect specially crafted packets to the SprySOCKS backdoor. As ESET explains, this lets operators send commands without ever exposing the backdoor's real listening port on the wire. No open port to scan, no anomalous listener to detect.

UEFI Bootkit Connection Still Hazy

ESET telemetry also flagged a potential UEFI bootkit component tied to CVE-2023-24932, the Secure Boot vulnerability BlackLotus exploited as a zero-day. The report stops short of solid evidence linking Earth Lusca to BlackLotus, but the possibility of a bootkit persistence layer should keep defenders watching for signed bootloaders with unusual behavior. For now, the Windows SprySOCKS variants are not brand new - they were active in 2023-2024 - but their discovery proves Earth Lusca has expanded beyond Linux targets and invested in kernel-level evasion that makes traditional EDR blind spots wider.

Source: Windows version of SprySOCKS Linux malware used to attack govt orgs
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Copilot's Gullibility Let Attackers Steal 2FA Codes Via Image Tags

Microsoft patched a max-critical vulnerability that allowed attackers to exfiltrate 2FA codes and other sensitive data from emails using markup language hidden in third-party content.

Three-Word Prompt 'Fix This Code' Triggered U.S. Export Ban on Anthropic's Fable 5

Researcher Katie Moussouris says the so-called jailbreak was just a request to fix buggy code, not a security bypass, and the ban hurts defenders more than attackers.

LiteSpeed cPanel Plugin Symlink Flaw Lets FTP Users Escalate to Root

CISA gives federal agencies three days to patch CVE-2026-48172, a high-severity symlink vulnerability in the LiteSpeed cPanel plugin that attackers are actively exploiting to gain root on shared hosting.

First In-The-Wild Malware Hides C2 Inside Microsoft Teams TURN Relays

Symantec found DragonForce ransomware using custom Go-based backdoor that hides command-and-control traffic within trusted Microsoft Teams relay infrastructure.

Comments load interactively on the live page.