China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
"Earth Lusca," a China-linked cyber espionage actor that's been actively targeting government organizations in Asia, Latin America, and other regions since at least 2021 has begun using a Linux backdoor with features that appear inspired from multiple previously known malware tools.

The malware that researchers at Trend Micro discovered and are tracking as "SprySOCKS," is firstly a Linux variant of "Trochilus," a Windows remote access Trojan (RAT) whose code got leaked and became publicly available in 2017.

Trochilus has multiple functions, which include allowing threat actors to remotely install and uninstall files, log keystrokes, and do screen captures, file management, and registry editing. One core feature of the malware is its ability to enable lateral movement. According to Trend Micro, SprySOCKS' main execution routine and strings show that it originated from Trochilus and had several of its functions reimplemented for Linux systems.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.