The SprySOCKS malware family, previously documented on Linux, has Windows variants used by the Earth Lusca threat actor in attacks on government entities in at least four countries. The WIN_DRV variant includes kernel drivers loaded via a signed driver to provide rootkit-like stealth capabilities, hiding malware artifacts such as processes, network connections, files, and registry keys. The WIN_PLUS variant is a simpler backdoor. Both variants support over 30 C2 commands, system reconnaissance, file operations, SOCKS proxy functionality, and keylogging. Persistence mechanisms include scheduled tasks, IFEO, and print processor registration. WIN_DRV uniquely enables TCP traffic diversion to communicate through arbitrary TCP ports without exposing the real listening port. ESET telemetry suggests a possible UEFI bootkit component exploiting CVE-2023-24932, though no strong evidence links it to known UEFI malware. This discovery indicates Earth Lusca's expanded capability to target Windows systems with sophisticated stealth and persistence techniques.

The malware enables attackers to maintain stealthy, persistent access to compromised Windows systems, including government organizations, with capabilities for system reconnaissance, file manipulation, keylogging, and proxying network traffic. The kernel-level rootkit features allow hiding of malware artifacts and network communications, complicating detection and forensic analysis. The TCP traffic diversion feature conceals backdoor communication ports, further evading network-based detection. Potential UEFI bootkit exploitation could enable persistence below the OS level, increasing difficulty of removal. These capabilities facilitate espionage and long-term access to sensitive government networks.

No official patch or remediation is indicated for this malware family as it is a threat actor tool rather than a software vulnerability. Mitigation should focus on detection and removal using updated endpoint security solutions capable of identifying kernel-level rootkits and backdoors. Monitoring for indicators of compromise provided by ESET's report is recommended. Organizations should apply best practices for endpoint protection, including restricting driver installation to trusted sources and monitoring scheduled tasks and IFEO entries for suspicious activity. Since this is malware, vendor-managed patching does not apply. Patch status is not applicable; check vendor advisories and security vendor updates for detection signatures and removal tools.