Earth Lusca [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], a threat actor with links to China, has been engaged in cyber espionage campaigns since at least 2021, targeting government organizations worldwide [1] [2] [4] [9]. This text provides a detailed description of their activities, including their targets, techniques [9], and the malware they employ.


Earth Lusca has expanded its operations globally since January 2022, with a particular focus on Southeast Asia, Central Asia [2] [3] [5], and the Balkans [2] [3] [5]. Their primary targets are government departments involved in foreign affairs [3] [5] [6] [10], technology [3] [5] [6] [10], and telecommunications [3] [5] [6] [10]. They have developed a new Linux backdoor called SprySOCKS [1] [3] [4] [10] [11], which is loaded through an ELF injector component called mandibule [5] [8]. SprySOCKS is still in development and shares similarities with the Linux variant of the Derusbi malware and the RedLeaves backdoor [10].

Once SprySOCKS is deployed, Earth Lusca gains the ability to gather system information, start an interactive shell [5] [8], create SOCKS proxies [5], and perform file and directory operations [5] [8]. To defend against infection [1], it is recommended to patch systems [1]. Once inside a network [6], Earth Lusca deploys web shells and utilizes Cobalt Strike for lateral movement. They also deploy advanced backdoors like ShadowPad and the Linux version of Winnti for long-term espionage activities [3] [4] [6] [8]. The malware communicates via TCP packets [5] [8], similar to the Windows-based trojan RedLeaves [5] [8].

Earth Lusca is believed to be linked to the Chinese government and has financial motivations, including gambling and cryptocurrency companies [1]. To defend against this advanced malware, organizations are advised to proactively manage their attack surface [3], apply patches [3], and regularly update their tools, software [3], and systems to enhance security [3]. The report provides IP addresses [1], file hashes [1], and other evidence to determine if a system has been compromised [1]. Multiple versions of SprySOCKS have been identified [5] [8] [9], indicating ongoing modifications by the attackers [5] [8].


Earth Lusca poses a significant threat to government organizations in Asia, Latin America [4], and other regions [2] [4]. Their recent use of the Linux backdoor SprySOCKS, which shares similarities with the Windows remote access Trojan (RAT) Trochilus, highlights their evolving tactics. The implementation of SprySOCKS suggests inspiration from the Linux version of Derusbi [4], while the command-and-control infrastructure resembles that of RedLeaves [4].

Earth Lusca’s targets extend beyond government agencies to include educational institutions, pro-democracy and human rights groups [4], media organizations [4] [9], and those conducting COVID-19 research [4]. Their financial motivations are evident in their targeting of cryptocurrency and gambling firms. To gain access to target networks [4], Earth Lusca employs spear-phishing [3] [4], social engineering scams [4], and watering-hole attacks [3] [4]. They have also been actively exploiting “n-day” vulnerabilities in Web-facing applications [4].

In light of these activities, it is crucial for organizations to take proactive measures to manage their attack surface, apply patches [3], and regularly update their tools, software [3], and systems [1] [2] [3] [4]. By doing so, they can enhance their security and mitigate the risks posed by Earth Lusca and similar threat actors.