SprySOCKS Chinese Hackers Unleash New Linux Backdoor

SprySOCKS The Growing Threat from Chinese State-Linked Hackers

What is SprySOCKS?

SprySOCKS is a recently discovered Linux backdoor, attributed to a Chinese government-linked threat actor. This new cybersecurity complication draws its origins from the infamous Windows backdoor named Trochilus, detected by Arbor Networks back in 2015. Evidently, an old wine in a new bottle, SprySOCKS, blends the traditional functionalities of backdoors with a novel Socket Secure (SOCKS) implementation that is applauded for its speed.

Unveiling SprySOCKS

In a breakthrough this June, Trend Micro researchers stumbled upon an encrypted binary file tagged as ‘mkmon’ on a server. Further digging identified it as the installation file for SprySOCKS. Borne out of Trochilus—linked to APT10 (Stone Panda/MenuPass)—SprySOCKS possesses all the quintessential backdoor functions, including system information gathering, remote shell control, network connection listing, and creating SOCKS-based proxies for data transfer. Interestingly, the continued versions of SprySOCKS hint towards an ongoing development, stirring up more concerns in the cybersecurity domain.

Who’s Behind SprySOCKS?

A close observation of the command and control server used by SprySOCKS throws light on a semblance with the one utilized by RedLeaves, another Windows malware based on Trochilus. The primary suspect for this activity is a threat actor known as Earth Lusca, a notorious group known for attacking government organizations worldwide. Asia, in particular, is their key target. The tactics of Earth Lusca don’t just end at government espionage. Their motifs also lie in financial gains―particularly in companies dealing with cryptocurrencies and gambling.

Sprysocks Chinese Hackers Unleash New Linux Backdoor
Sprysocks Chinese Hackers Unleash New Linux Backdoor

The Sinister Web of Malwares

The plot thickens as more intertwining details unfold about this server. Cobalt Strike, an infamous hacking tool used for vulnerability discovery and exploitation, was also found delivered by the same server hosting SprySOCKS. The story doesn’t end here; Winnti, another notorious suite of malware known for their associations with Chinese government-linked threat groups, was also delivered by the same server.

Is SprySOCKS a Threat?

Absolutely! Its continued development, coupled with its ability to assimilate the functionalities of its forerunners while introducing its advanced techniques, makes SprySOCKS a notable cybersecurity threat. Constant vigilance and swift action is the need of the hour, considering the increasing instances of cyber threats and crimes, especially involving crucial entities like government organizations.


Trend Micro’s report provided factual evidence―from IP addresses to file hashes to trace potential compromises, thereby underlining the cybersecurity risks faced by organizations worldwide. The discovery of SprySOCKS, the new Linux backdoor used by Chinese government-linked threat actor, underscores the importance of continuous research, development, and implementation of advanced cybersecurity measures.


Meta Description: Understand the rising implementation of the newly discovered Linux backdoor, SprySOCKS, attributed to a Chinese government-linked threat actor, and why it is a significant cybersecurity concern.


TechBeams Team of seasoned technology writers with several years of experience in the field. The team has a passion for exploring the latest trends and developments in the tech industry and sharing their insights with readers. With a background in Information Technology. TechBeams Team brings a unique perspective to their writing and is always looking for ways to make complex concepts accessible to a broad audience.

Leave a Reply

Back to top button