# [HIGH] Windows version of SprySOCKS Linux malware used to attack govt orgs **Source:** BleepingComputer **Published:** 2026-06-16 **Article:** https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/ ## Threat Profile Windows version of SprySOCKS Linux malware used to attack govt orgs By Bill Toulas June 16, 2026 05:00 AM 0 Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries. SprySOCKS has been  linked to the Chinese threat group ‘Earth Lusca,’ which deployed it in attacks against government entities focused on foreign affairs, technology, and telecommunications. Now, ESET researchers discovered Windows variants of the sam… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2023-24932` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1190** — Exploit Public-Facing Application - **T1053.005** — Scheduled Task - **T1053.005** — Persistence (article-specific) - **T1546.012** — Persistence (article-specific) - **T1014** — Rootkit - **T1543.003** — Create or Modify System Process: Windows Service - **T1553.002** — Subvert Trust Controls: Code Signing - **T1546.012** — Event Triggered Execution: Image File Execution Options Injection - **T1547.012** — Boot or Logon Autostart Execution: Print Processors - **T1542.003** — Pre-OS Boot: Bootkit ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### SprySOCKS DriverLoader (fsdiskbit.sys) write / image load on Windows endpoint `UC_46_4` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name="fsdiskbit.sys" by Filesystem.dest Filesystem.user Filesystem.process_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let lookback = 14d; let driverWrites = DeviceFileEvents | where Timestamp > ago(lookback) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FileName =~ "fsdiskbit.sys" | project Timestamp, DeviceName, EventKind="FileWrite", FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName; let driverLoads = DeviceImageLoadEvents | where Timestamp > ago(lookback) | where FileName =~ "fsdiskbit.sys" | project Timestamp, DeviceName, EventKind="ImageLoad", FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine=tostring(""), InitiatingProcessAccountName; driverWrites | union driverLoads | order by Timestamp desc ``` ### SprySOCKS WIN_DRV IFEO persistence on vds.exe `UC_46_5` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\Image File Execution Options\\vds.exe*" Registry.action="modified" by Registry.dest Registry.user Registry.process_name Registry.registry_path Registry.registry_value_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let lookback = 30d; DeviceRegistryEvents | where Timestamp > ago(lookback) | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | where RegistryKey has @"Image File Execution Options\vds.exe" | where RegistryValueName in~ ("Debugger","GlobalFlag","VerifierDlls","MitigationOptions","ReportingMode") | where InitiatingProcessAccountName !endswith "$" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessParentFileName | order by Timestamp desc ``` ### SprySOCKS WIN_PLUS persistence as Windows Print Processor (VSPMsg) `UC_46_6` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\Control\\Print\\Environments\\*\\Print Processors\\*" (Registry.registry_path="*VSPMsg*" OR Registry.registry_value_data="*VSPMsg*") by Registry.dest Registry.user Registry.process_name Registry.registry_path Registry.registry_value_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let lookback = 30d; DeviceRegistryEvents | where Timestamp > ago(lookback) | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | where RegistryKey has @"\Control\Print\Environments\" and RegistryKey has @"\Print Processors\" | where RegistryKey has "VSPMsg" or RegistryValueData has "VSPMsg" or RegistryValueName =~ "Driver" | where InitiatingProcessFileName !in~ ("spoolsv.exe","msiexec.exe","setup.exe","prndrvr.exe") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessIntegrityLevel | order by Timestamp desc ``` ### Hosts vulnerable to CVE-2023-24932 with internet exposure (SprySOCKS UEFI bootkit pre-position) `UC_46_7` · phase: **weapon** · confidence: **Medium** · AI-generated for this article **Defender KQL:** ```kql let lookback = 1d; DeviceTvmSoftwareVulnerabilities | where Timestamp > ago(lookback) | where CveId == "CVE-2023-24932" | summarize arg_max(Timestamp, *) by DeviceId, CveId | join kind=leftouter ( DeviceInfo | where Timestamp > ago(lookback) | summarize arg_max(Timestamp, OSPlatform, OSVersion, OSBuild, IsInternetFacing, PublicIP, LoggedOnUsers, MachineGroup) by DeviceId ) on DeviceId | project Timestamp, DeviceName, OSPlatform, OSVersion, OSBuild, IsInternetFacing, PublicIP, MachineGroup, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, RecommendedSecurityUpdateId | order by tostring(IsInternetFacing) desc, DeviceName asc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Scheduled task created with suspicious image / encoded args `UC_SCHEDULED_TASK` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="schtasks.exe" AND Processes.process="*/create*" AND (Processes.process="*powershell*" OR Processes.process="*cmd.exe*" OR Processes.process="*rundll32*" OR Processes.process="*-enc*" OR Processes.process="*FromBase64*" OR Processes.process="*\Users\Public*" OR Processes.process="*\AppData\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "schtasks.exe" | where ProcessCommandLine has "/create" | where ProcessCommandLine has_any ("powershell","cmd.exe","rundll32","-enc","FromBase64","\Users\Public","\AppData\") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ### Article-specific behavioural hunt — Windows version of SprySOCKS Linux malware used to attack govt orgs `UC_46_3` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Windows version of SprySOCKS Linux malware used to attack govt orgs ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("fsdiskbit.sys","vds.exe")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("fsdiskbit.sys","vds.exe")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Windows version of SprySOCKS Linux malware used to attack govt orgs // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("fsdiskbit.sys", "vds.exe")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("fsdiskbit.sys", "vds.exe")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2023-24932` ## Why this matters Severity classified as **HIGH** based on: CVE present, 8 use case(s) fired, 12 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.