Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Chinese Hacker’s Advanced Linux Espionage

September 19, 2023
Reading Time: 2 mins read
in Alerts

In a concerning development, a Chinese hacker known as ‘Earth Lusca’ has been identified conducting cyber espionage operations targeting government agencies across multiple countries. This campaign employs a newly discovered Linux backdoor named ‘SprySOCKS,’ as revealed by Trend Micro’s analysis.

Furthermore, the malware appears to be a blend of various malware strains, with components adapted from both Windows and Linux malware, exemplifying its sophisticated nature.

Earth Lusca’s cyberattacks persisted throughout the first half of the year, concentrating on government entities specializing in foreign affairs, technology, and telecommunications. To initiate these attacks, the threat actors exploited several unauthenticated remote code execution vulnerabilities dating back to 2019 and 2022. These vulnerabilities were leveraged to deploy Cobalt Strike beacons, which facilitated remote access to compromised networks.

Subsequently, these malicious actors engaged in lateral movement, exfiltrated sensitive files, stole account credentials, and introduced additional payloads such as ShadowPad.

One notable aspect of the attack involved the utilization of the SprySOCKS loader, a variant of the Linux ELF injector referred to as “mandibule.” This loader, disguised as a file named ‘libmonitor.so.2,’ was hurriedly adapted by the attackers, leaving behind debug messages and symbols. It operated under the name “kworker/0:22,” mimicking a Linux kernel worker thread, decrypting the second-stage payload (SprySOCKS), and establishing persistence on the infected systems.

SprySOCKS itself is a highly capable backdoor that employs the ‘HP-Socket’ high-performance networking framework for its operations. It encrypts its TCP communications with the command and control server using AES-ECB encryption. The malware’s core functionalities include collecting system information, initiating an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, and performing various file operations.

Trend Micro identified two versions of SprySOCKS, v1.1 and v1.3.6, suggesting ongoing development efforts by the threat actors. To mitigate the risks associated with such cyber espionage campaigns, organizations are strongly advised to prioritize the application of security updates for their public-facing server products, effectively preventing initial compromises by Earth Lusca and similar threat actors.

Reference:
  • Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Tags: BackdoorChinaCyber AlertCyber Alerts 2023CybersecurityEarth LuscaespionageLinuxMalwareSeptember 2023SprySOCKSTrend MicroVulnerabilities
ADVERTISEMENT

Related Posts

Russian APT28 Deploys Outlook Backdoor

SAP S4hana Exploited Vulnerability

September 5, 2025
Russian APT28 Deploys Outlook Backdoor

Virustotal Finds Undetected SVG Files

September 5, 2025
Russian APT28 Deploys Outlook Backdoor

Russian APT28 Deploys Outlook Backdoor

September 5, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

Lazarus Hackers Exploit ZeroDay, Deploy Rats

September 4, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

CISA Flags TP Link Router Flaws

September 4, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

September 4, 2025

Latest Alerts

SAP S4hana Exploited Vulnerability

Virustotal Finds Undetected SVG Files

Russian APT28 Deploys Outlook Backdoor

CISA Flags TP Link Router Flaws

Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

Subscribe to our newsletter

    Latest Incidents

    North Korean Hackers Fake Interviews

    Bridgestone Confirms Cyberattack

    Cybersecurity Firms Hit By Breach

    Salesloft Drift Attacks Hits Vendors

    Jaguar Land Rover Hit By Cyber Incident

    Hackers Use Grok Ai To Spread Malware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial