Overview
- ESET published a technical analysis on Tuesday that identifies two previously undocumented Windows builds of SprySOCKS, called WIN_DRV and WIN_PLUS, tied to intrusions against government organizations in 2023–2024 in Taiwan, Thailand, Pakistan and Honduras.
- The stealthier WIN_DRV uses a kernel driver named RawWNPF that is loaded through a DriverLoader component (fsdiskbit.sys) signed with a leaked PastDSE certificate, enabling the malware to hide processes, files, registry keys and network connections from common tools.
- WIN_DRV also implements a TCP traffic diversion technique that inspects incoming packets for a marker and redirects them to the hidden backdoor port so operators can send commands without exposing a listening port in network traffic.
- Both Windows variants include hard-coded command-and-control settings, speak over TCP, UDP and WebSocket, support more than 30 operator commands (including SOCKS proxying, file transfer and keystroke logging), and use DLL side-loading plus persistence via scheduled tasks, IFEO and a print-processor registration.
- ESET attributes the activity with high confidence to the China-linked Earth Lusca (FishMonger) cluster and warns defenders to prioritize the new IOCs, kernel-driver detection, scheduled-task/IFEO/print-processor artifacts and monitoring for anomalous TCP/UDP/WebSocket C2 patterns while the possible UEFI bootkit link remains unconfirmed.