Chinese APT Earth Lusca Adds SprySOCKs Backdoor to its Arsenal | Cyware Hacker News

A recently discovered Linux backdoor malware, named SprySOCKS, was observed in a cyberespionage campaign targeting government agencies in multiple countries. The campaign was attributed to the Chinese hacking group Earth Lusca.

More about SprySOCKS

In the campaign, the attackers used a Linux variant of the ELF injector called mandibule to drop SprySOCKS. 

  • The backdoor employs the ‘HP-Socket’ networking framework known for its high performance, while it employs AES-ECB encryption for securing its TCP communications with the C2 server.
  • This innovative malware possesses several key functions, including gathering system information, initiating an interactive shell that utilizes the PTY subsystem, enumerating network connections, and managing SOCKS proxy configurations.
  • Additionally, it is capable of executing fundamental file operations, which encompass uploading, downloading, listing, deleting, renaming, and creating directories.

Tracing the malware’s origin

  • The malware borrows much of its source code from Trochilus open-source Windows backdoor. 
  • The malware’s implementation of the interactive shell appears to be inspired by the Linux variant of Derusbi malware. 
  • The structure of SprySOCK’s C2 protocol is similar to the one used by the RedLeaves backdoor.

Earth Lusca’s recent activity

According to Trend Micro, Earth Lusca remained active during the first half of 2023, with a primary focus on countries in Southeast Asia, Central Asia, and the Balkans. 
  • Currently, the group is attempting to exploit several n-day RCE vulnerabilities dated between 2019 and 2022 to compromise public-facing servers.
  • These flaws are abused to deploy a web shell and install a Cobalt Strike beacon for lateral movement.  
  • During the later stages of infection, the group intends to exfiltrate documents and email account credentials and deploy advanced backdoors such as ShadowPad and the Linux variant of Winnti.


Researchers have identified two different versions of backdoor malware, indicating that it is still under development. While organizations must proactively manage their attack surface and minimize the potential entry points into their systems, they can take requisite actions by looking at the IOCs associated with the campaign.