The Windows Twist Nobody Saw Coming
Here's the thing about state-sponsored malware: it doesn't stay in its lane. SprySOCKS was known as a Linux backdoor — clean, efficient, built for server rooms and command-line operators. Then ESET researchers went digging and found Windows variants lurking in government networks across four countries, doing exactly what you'd expect a sophisticated threat actor to do: expand the attack surface.
We're talking about Earth Lusca here — also known as FishMonger, Aquatic Panda, Red Dev 10, and TAG-22. Same group. Different names depending on which tracker you trust. They've been hitting government entities focused on foreign affairs, telecommunications, and technology research in Taiwan, Thailand, Pakistan, and Honduras. The attacks happened between 2023 and 2024, which means this isn't some yesterday-news story. These operators have been sitting in your network for a while.
The discovery matters because it signals a deliberate shift. This group didn't just port their Linux tool to Windows and call it a day. They built two distinct variants — WIN_DRV and WIN_PLUS — each with different stealth profiles, different persistence mechanisms, and different tradeoffs between power and detectability. That's not the work of a script kiddie. That's an organized operation with real engineering resources.
Two Variants, Two Philosophies
WIN_DRV is the heavy hitter. It loads a kernel-mode driver called RawWNPF directly into memory, signed with a leaked certificate from the GitHub PastDSE project. The driver gets loaded through another kernel component called DriverLoader (fsdiskbit.sys). Once it's in, the malware can hide processes, mask network connections, suppress files from directory listings, and conceal registry keys it uses for persistence. It's a full rootkit experience.
WIN_PLUS takes the opposite approach. No kernel driver. No signature tricks. Just a lightweight user-mode backdoor that registers itself as a Windows Print Processor (VSPMsg) for persistence. It's simpler, less stealthy in theory, but also smaller and potentially harder to flag with signature-based detection.
Both variants share a common feature set that should make any blue teamer uncomfortable:
- Communication over TCP, UDP, and WebSocket — they're not locked into one channel
- Over 30 C2 commands for system control
- Full process and service enumeration and management
- File operations: list, create, delete, upload, download, copy, rename, execute
- SOCKS proxy functionality — the malware can act as both client and server
- Keystroke logging, clipboard capture, active window title recording
That last point — the SOCKS proxy capability — is particularly interesting. It means a compromised Windows machine isn't just a dead end for data exfiltration. It becomes a pivot point. An operator can route traffic through it, use it to reach internal systems that wouldn't otherwise be accessible. The backdoor doesn't just spy; it extends the attacker's reach.
TCP Traffic Diversion: The Stealth Trick That Matters Most
Here's where WIN_DRV gets clever. It inspects incoming TCP traffic and redirects specially crafted packets to the SprySOCKS backdoor. The operator sends commands through a random TCP port on the victim's device without ever exposing the backdoor's real listening port in network traffic.
Think about what that means for detection. Network monitoring tools watch for suspicious connections to known C2 infrastructure. They look for unusual ports, unexpected protocols, traffic patterns that don't match normal behavior. But if the malware is receiving commands through packets that look like legitimate traffic on arbitrary ports, those detection mechanisms go blind. The real C2 channel is invisible because it's hidden inside traffic that looks completely normal.
ESET put it plainly: the WIN_DRV version enables TCP traffic diversion, allowing operators to send commands through a random port without exposing the backdoor's true listening port. That's not just evasion. That's a fundamental challenge to network-based detection.
Persistence: How They Stay Inside
WIN_DRV achieves persistence through scheduled tasks and Image File Execution Options (IFEO) via vds.exe. IFEO is a legitimate Windows feature — it lets you hook into the execution of any executable and run something else instead. It's used for compatibility shims, debugging tools, the kind of thing enterprise IT deploys legitimately. But it's also a classic persistence mechanism because it's trusted, built into the OS, and rarely monitored.
WIN_PLUS goes simpler: register as a Windows Print Processor. The VSPMsg service is part of the printing subsystem, and registering a payload there means it loads automatically when the print spooler starts. Again, legitimate functionality being abused for malicious ends.
Both approaches share a philosophy: don't create new artifacts that security tools need to learn to detect. Instead, hide inside features that are already running, already trusted, already monitored by nobody.
The UEFI Bootkit Question Mark
ESET's telemetry showed indications of a UEFI bootkit component that might exploit CVE-2023-24932 — a Secure Boot flaw previously used as a zero-day by the BlackLotus UEFI malware. Now, ESET themselves note that no further details or strong evidence were provided to support a direct link to BlackLotus. The connection is suggestive but not confirmed.
Still, the implication is worth sitting with. UEFI bootkits operate below the operating system. They survive OS reinstallation, disk formatting, even hardware replacement if you're not careful about firmware updates. If this group has UEFI-level capabilities, they're not just compromising your Windows installation — they're compromising the machine itself.
I don't want to overstate this. The evidence is telemetry, not a smoking gun. But in threat intelligence, patterns matter, and the pattern here is concerning enough to warrant serious attention from any organization running government or critical infrastructure systems.
Why Government Targets? Why Now?
The target profile tells you everything about the mission. Foreign affairs ministries, telecommunications infrastructure, technology research institutions — these aren't random selections. This is intelligence gathering on a strategic scale. Taiwan and Thailand in Asia, Pakistan as a regional power, Honduras in Central America. The geographic spread suggests coordination with broader geopolitical objectives.
The persistence of these attacks — spanning from at least 2023 through 2024, with Windows variants discovered alongside the known Linux operations — points to long-term espionage campaigns rather than hit-and-run intrusions. These operators plant their tools, maintain access, and wait. They're playing the long game.
ESET attributes both Linux and Windows variants to Earth Lusca with high confidence, citing infrastructure overlap with prior campaigns, shared TTPs across deployments, alignment with geopolitical interests in Asia and Latin America, and consistent use of the same codenames across their tracking systems. The attribution isn't speculative — it's well-grounded.
What Defense Looks Like Against This Stuff
Let me be honest: defending against SprySOCKS Windows variants requires accepting that traditional endpoint protection won't cut it alone. If the malware is hiding in kernel memory, redirecting TCP traffic, and potentially reaching into UEFI firmware, you need layers.
Kernel integrity monitoring is non-negotiable. Windows Defender Kernel Callbacks, driver signature enforcement, and blocking unsigned drivers are baseline requirements. If you're running unsigned kernel modules in production, you've already lost.
Network monitoring needs to evolve too. TCP traffic diversion means you can't just watch for suspicious outbound connections. You need to analyze inbound traffic patterns, look for anomalies in port usage, and build detection rules that account for the possibility that legitimate-looking traffic might be carrying hidden commands.
Persistence mechanisms like IFEO and print processor registration should be actively monitored. These aren't common configurations in most environments, so deviations from baseline should trigger investigation.
And UEFI Secure Boot validation matters more than most organizations treat it. If you're not verifying firmware integrity, you're operating on borrowed time.
The operational side matters just as much. Regular endpoint forensic scans for hidden processes and registry artifacts. Network traffic analysis tools capable of detecting covert C2 channels. Threat hunting programs specifically focused on kernel and UEFI-level threats — because these won't show up in standard alerting.
Incident response playbooks need to account for advanced persistent threats that operate beyond traditional endpoint monitoring. If your IR process assumes the OS is trustworthy, you need to rethink it.
The Bigger Picture
The discovery of Windows variants of SprySOCKS isn't just about one malware family getting a port. It's about the maturation of a threat group's capabilities and the widening scope of state-sponsored espionage. Earth Lusca now operates across Linux and Windows, targeting government infrastructure in multiple regions with tools designed for maximum stealth and persistence.
The kernel drivers, TCP traffic redirection, potential UEFI exploitation — these aren't features you see in opportunistic malware. They represent significant investment in tooling, testing, and operational security. This is a group that understands modern Windows internals deeply enough to build rootkits that exploit legitimate subsystems.
For security teams, the takeaway is clear: assume compromise. Monitor at the kernel level. Validate firmware integrity. Hunt for anomalies that don't match your baseline. And recognize that the threat actors targeting government infrastructure aren't going to stop expanding their capabilities just because you've patched one vulnerability.
This campaign is a reminder that state-sponsored actors don't limit themselves to one operating system. They target entire digital ecosystems, and the only defense that works is one that operates at every level — from firmware to application, from network to endpoint.
Related reading: For context on how other China-nexus groups conduct long-term espionage against government and research institutions, see our coverage of UNC6508's year-long undetected spying campaign against US researchers at /articles/china-nexus-actor-spy-on-us-researchers-undetected. For analysis of persistent backdoor techniques used by Chinese espionage groups in enterprise environments, see our piece on UNC5221's Brickstorm backdoor for Microsoft 365 at /articles/chinese-espionage-group-unc5221-brickstorm-backdoor-microsoft-365.