{"id":274189,"date":"2026-06-16T05:00:00","date_gmt":"2026-06-16T09:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/16\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/"},"modified":"2026-06-16T05:25:22","modified_gmt":"2026-06-16T09:25:22","slug":"windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/16\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/","title":{"rendered":"Windows version of SprySOCKS Linux malware used to attack govt orgs"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/\">Windows version of SprySOCKS Linux malware used to attack govt orgs<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-16 05:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.<\/p>\n<p>SprySOCKS has been\u00a0linked to the Chinese threat group \u2018Earth Lusca,\u2019 which deployed it in attacks against government entities focused on foreign affairs, technology, and telecommunications.<\/p>\n<p>Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks\u00a0on\u00a0government organizations in Taiwan, Thailand, Pakistan, and Honduras.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/mcp-playbook-970.jpg\" alt=\"image\" style=\"margin-top: 0px;\"\/><\/p>\n<p>ESET attributes\u00a0the activity with high confidence to the Earth Lusca threat actor, which they track as \u2018FishMonger\u2019 (also \u2018Aquatic Panda,\u2019 \u2018Red Dev 10,\u2019 and TAG-22).<\/p>\n<p>Unlike the previously documented Linux version, the Windows\u00a0variant adds kernel-level stealth capabilities\u00a0allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports<\/p>\n<p>The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS,\u00a0a more barebones backdoor.<\/p>\n<p>Both variants offer the following capabilities:<\/p>\n<ul>\n<li>Communicate over TCP, UDP, and WebSocket<\/li>\n<li>Support more than 30 command-and-control (C2) commands<\/li>\n<li>Collect system information<\/li>\n<li>Enumerate and manage processes and services<\/li>\n<li>List, create, delete, upload, download, copy, rename, and execute files<\/li>\n<li>Support SOCKS proxy functionality<\/li>\n<li>Can operate as both a client and a server<\/li>\n<li>Log keystrokes, clipboard content, and active window titles<\/li>\n<\/ul>\n<p><img decoding=\"async\" alt=\"The WIN_PLUS variant execution flow\" height=\"600\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/June\/WINPLUS.jpg\" width=\"418\"\/><strong>The WIN_PLUS variant execution flow<\/strong><br \/>Source: ESET<\/p>\n<p>The WIN_DRV variant includes the additional functionality of loading a driver named \u2018RawWNPF\u2019 directly into memory.<\/p>\n<p>The driver is loaded from another kernel driver named \u2018DriverLoader\u2019 (fsdiskbit.sys)\u00a0signed using a leaked certificate from the GitHub PastDSE project.<\/p>\n<p>The driver enables the malware to hide processes via Windows API manipulation, hide network connections, hide&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows version of SprySOCKS Linux malware used to attack govt orgs https:\/\/www.bleepingcomputer.com\/news\/security\/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs\/ Publish Date: 2026-06-16&#8230;<\/p>\n","protected":false},"author":1,"featured_media":274190,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/01\/06\/china.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,57,34],"class_list":["post-274189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-security","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/274189"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=274189"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/274189\/revisions"}],"predecessor-version":[{"id":274191,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/274189\/revisions\/274191"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/274190"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=274189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=274189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=274189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}