GoKawiilWindows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
SprySOCKS has been linked to the Chinese threat group ‘Earth Lusca,’ which deployed it in attacks against government entities focused on foreign affairs, technology, and telecommunications.
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
ESET attributes the activity with high confidence to the Earth Lusca threat actor, which they track as ‘FishMonger’ (also ‘Aquatic Panda,’ ‘Red Dev 10,’ and TAG-22).
Unlike the previously documented Linux version, the Windows variant adds kernel-level stealth capabilities allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports
The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS, a more barebones backdoor.
Both variants offer the following capabilities:
Communicate over TCP, UDP, and WebSocket
Support more than 30 command-and-control (C2) commands
Collect system information
... continue reading