Skip to main content
root@rebel:~$ cd /news/threats/earth-lusca-deploys-new-sprysocks-windows-variant-against-governments_
[TIMESTAMP: 2026-06-16 09:59 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: HIGH]

Earth Lusca Deploys New SprySOCKS Windows Variant Against Governments

AI-Assisted Analysis
READ_TIME: 3 min read
// executive briefing tl;dr
  • [01] State-sponsored actors are using a new Windows variant of SprySOCKS to compromise government organizations across multiple countries for espionage.
  • [02] Impacted systems include Windows-based servers and workstations within government networks often targeted via vulnerabilities in public-facing applications.
  • [03] Organizations should immediately update public-facing software implement egress filtering and monitor for unauthorized remote shell activity.

Overview

The threat actor known as Earth Lusca, a sophisticated APT group with links to the Winnti Group, has expanded its technical arsenal by developing a Windows version of the SprySOCKS malware. Historically identified as a Linux-exclusive backdoor, this new variant demonstrates a strategic shift toward cross-platform capabilities to maximize the reach of espionage campaigns. According to BleepingComputer, these attacks have successfully targeted government organizations in at least four countries, highlighting a persistent interest in sensitive state infrastructure.

Technical Analysis of SprySOCKS Windows Variant

The Windows iteration of SprySOCKS is heavily derived from the source code of Trochilus, an open-source remote access tool often favored by Chinese-aligned threat groups. The malware typically arrives on a system through a multi-stage infection chain involving a specialized loader designed to decrypt and execute the main payload in memory to evade traditional EDR solutions.

Once active, the malware establishes a connection with a C2 server using a customized TCP-based protocol. The backdoor provides a comprehensive suite of espionage functions, including:

  • System Enumeration: Collecting hostnames, OS versions, and hardware configuration via the GetSystemInfo command.
  • File Manipulation: Capabilities to upload, download, and delete files on the compromised host.
  • Interactive Shell: Providing the attacker with remote command-line access to execute arbitrary system commands.
  • Proxying: Using the infected host as a pivot point for Lateral Movement within the internal network.

Earth Lusca Threat Actor TTPs and Delivery Mechanisms

Earth Lusca frequently gains initial access by exploiting CVE vulnerabilities in public-facing web servers. Recent campaigns have leveraged CVE-2023-41892, a critical RCE vulnerability in Craft CMS, to gain a foothold in target environments. Additionally, the group has been observed utilizing CVE-2024-24919 to extract credentials from Check Point Security Gateways. These TTP patterns indicate a focus on high-value entry points that allow for stealthy persistence before the deployment of the SprySOCKS payload.

Detection and Monitoring

Security teams must focus on identifying the specific network behaviors associated with this malware to protect SprySOCKS malware government targets. The C2 traffic often exhibits a distinct heartbeat pattern and specific packet headers inherited from the Trochilus codebase.

To effectively understand how to detect SprySOCKS Windows malware, defenders should monitor for suspicious cmd.exe or powershell.exe processes spawned by web server services (e.g., w3wp.exe or httpd.exe). Furthermore, analyzing EDR telemetry for unusual file writes in temporary directories or the execution of unsigned DLLs is essential. Mapping these observations to the MITRE ATT&CK framework—specifically focusing on T1105 (Ingress Tool Transfer) and T1059 (Command and Scripting Interpreter)—can help SOC analysts contextualize the threat.

Mitigation and Remediation

Defenders should prioritize the following actions to mitigate the risk posed by Earth Lusca:

  1. Vulnerability Management: Rapidly patch all internet-facing assets, specifically addressing the CVSS 9.8 vulnerability CVE-2023-41892 in Craft CMS and high-severity issues in VPN gateways.
  2. Network Segmentation: Implement strict egress filtering to block unauthorized TCP connections to unknown external IP addresses, particularly on non-standard ports used by C2 infrastructure.
  3. Credential Hygiene: Enforce multi-factor authentication (MFA) across all remote access points to prevent the use of stolen credentials obtained during the initial stages of an attack.

By focusing on these foundational security controls, organizations can significantly reduce their attack surface and disrupt the operational effectiveness of Earth Lusca’s espionage efforts.

Advertisement