{ "id": "d1da7b64-3b7a-4511-b91b-cb0e60f56462", "created_at": "2026-04-06T00:12:14.205569Z", "updated_at": "2026-04-10T03:36:48.09301Z", "deleted_at": null, "sha1_hash": "e38c8a61840633649df1599edd3a2f6340c6eeef", "title": "Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 422224, "plain_text": "Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for\r\nLateral Movement\r\nBy By: Joseph C Chen Sep 18, 2023 Read time: 9 min (2356 words)\r\nPublished: 2023-09-18 · Archived: 2026-04-05 19:05:03 UTC\r\nMalware\r\nWhile monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've\r\ndubbed SprySOCKS due to its swift behavior and SOCKS implementation.\r\nIn early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as\r\nEarth Lusca. Since our initial research, the group has remained active and has even extended its operations,\r\ntargeting countries around the world during the first half of 2023.\r\nWhile monitoring the group, we managed to obtain an interesting, encrypted file hosted on the threat actor’s\r\ndelivery server. We were able to find the original loader of the file on VirusTotal and successfully decrypted it.\r\nInterestingly, the decrypted payload is a Linux-targeted backdoor that we have never seen before. The main\r\nexecution routine and its strings show that it originates from the open-source Windows backdoor Trochilus, with\r\nseveral functions being re-implemented for Linux systems. We named this new Linux variant SprySOCKS,\r\nreferring to the swift behaviors of Trochilus and the new Socket Secure (SOCKS) implementation inside the\r\nbackdoor.\r\nAnalysis of the SprySOCKS backdoor reveals some interesting findings. The backdoor contains a marker that\r\nrefers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different\r\nversion numbers, indicating that the backdoor is still under development. In addition, we noticed that the\r\nimplementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.\r\nMeanwhile, the structure of SprySOCKS’s command-and-control (C\u0026C) protocol is similar to one used by the\r\nRedLeaves backdoor, a remote access trojan (RAT) reported to be infecting Windows machines. It consists of two\r\ncomponents, the loader and the encrypted main payload. The loader is responsible for reading, decrypting, and\r\nrunning the main payload.\r\nSimilar to the Windows version, the Linux variant analyzed in this report also consists of these two components.\r\nPreviously, it was reported that RedLeaves was also built upon the publicly available source code of Trochilus.\r\nSo far, we have only observed SprySOCKS used by Earth Lusca. In this blog entry, we will provide more context\r\non Earth Lusca’s use of the malware, together with a thorough analysis of its components and capabilities.\r\nRecent Earth Lusca activity\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 1 of 9\n\nEarth Lusca remained active during the first half of 2023, with its attacks focusing primarily on countries in\r\nSoutheast Asia, Central Asia, and the Balkans (with a few scattered attacks on Latin American and African\r\ncountries). The group’s main targets are government departments that are involved in foreign affairs, technology,\r\nand telecommunications.\r\nEarth Lusca is now aggressively targeting the public-facing servers of its victims. Furthermore, we have seen them\r\nfrequently exploiting server-based N-day vulnerabilities, including (but not limited to) the following:\r\nVulnerability Description\r\nCVE-2022-40684\r\nAn authentication bypass vulnerability in Fortinet FortiOS,\r\nFortiProxy and FortiSwitchManager\r\nCVE-2022-39952\r\nAn unauthenticated remote code execution (RCE)\r\nvulnerability in Fortinet FortiNAC\r\nCVE-2021-22205 An unauthenticated RCE vulnerability in GitLab CE/EE\r\nCVE-2019-18935\r\nAn unauthenticated remote code execution vulnerability in\r\nProgress Telerik UI for ASP.NET AJAX\r\nCVE-2019-9670 / CVE-2019-9621\r\nA bundle of two vulnerabilities for unauthenticated RCE in\r\nZimbra Collaboration Suite\r\nProxyShell (CVE-2021-34473, CVE-2021-\r\n34523v, CVE-2021-31207)\r\nA set of three chained vulnerabilities that perform\r\nunauthenticated RCE in Microsoft Exchange\r\nTable 1. The list of vulnerabilities exploited by Earth Lusca\r\nEarth Lusca takes advantage of server vulnerabilities to infiltrate its victim’s networks, after which it will deploy a\r\nweb shell and install Cobalt Strike for lateral movement. The group intends to exfiltrate documents and email\r\naccount credentials, as well as to further deploy advanced backdoors like ShadowPad and the Linux version of\r\nWinnti to conduct long-term espionage activities against its targets.\r\nThe “mandibule” loader component\r\nAt the beginning of our investigation, we observed a file named libmonitor.so.2 hosted on Earth Lusca’s delivery\r\nserver. Without previous context, this seemed to be a binary file containing only random bytes, indicating that it is\r\nlikely an encrypted payload. We used the unique file name to perform a search on VirusTotal that allowed us to\r\nidentify a related ELF file (SHA256: 65b27e84d9f22b41949e42e8c0b1e4b88c75211cbf94d5fd66edc4ebe21b7359)\r\nnamed “mkmon”. The ELF file could be used to decrypt the libmonitor.so.2 file and recover its original payload,\r\nproving that “mkmon” is the loader bundled with libmonitor.so.2.\r\nThe loader was not developed from scratch — its developer used a publicly available Linux ELF injector called\r\n“mandibule” (the French word for mandible, or lower jaw). The original ELF injector project is a command-line\r\ntool with the ability to inject a payload into itself (self-injection) or into another project. As a typical command-https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 2 of 9\n\nline tool, it prints usage text that lists supported parameters. The original injector also prints various debug\r\nmessages to inform the user about the progress of the injection.\r\nThe threat actor used the mandibule project as a basis for its malware loader. The project creator removed the\r\nusage screen and the ability to inject to other processes, and then added a function to load and decrypt the second\r\nstage. We consider this job to be sloppily done since the developer did not bother to remove debug messages, and\r\nthe loader was not stripped (that is, it was distributed with debug symbols). Indeed, the threat actor seemed to put\r\nminimum effort into modifying the original injector just to be able to make it load the payload.\r\n open on a new tab\r\nFigure 1. The loader distributed with debug information; note that the “.debug_*” sections are\r\npresent\r\nThe debug messages displayed in Figure 2 have two distinct markers. The “\u003e” marker is from the original\r\nmandibule project, while the “[+]” or “[-]” markers are debug messages added to the loader by the threat actor.\r\nThe name of the loader’s process is set to “kworker/0:22” by the prctl command. Normally, kworker is a\r\nplaceholder process for kernel worker threads. In this scenario, however, the “kworker” name has nothing to do\r\nwith kernel worker threads. Instead, the loader abuses this name just to avoid suspicion when the user lists all\r\nrunning tasks via commands such as ps or top.\r\nFigure 3. The name of the process is set to “kworker/0:22”\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 3 of 9\n\nFigure 4. The list of “kworker*” processes on an infected machine; the highlighted process is the\r\nanalyzed loader\r\nThe loader accepts two command-line parameters: the path to the encrypted second stage file and the self-delete\r\nflag. The second stage is encrypted with an AES-ECB cipher, with the password being hard-coded in the loader.\r\nFigure 5. Function to decrypt the second stage\r\nThe loader is also responsible for setting the persistence. It copies itself and the encrypted second stage to the\r\n/usr/sbin/ directory (see debug notes “[+] rename loader ok” and “[+] rename server ok”). It then uses chkconfig or\r\nsystemd to start the loader as a service. If the self-delete flag is set to “1”, then the originally executed loader and\r\nthe encrypted stage files are both deleted.\r\nThe SprySOCKS component\r\nWhile examining the decrypted second stage, visible strings revealed that it was statically compiled with HP-Socket project, a high-performance network framework of Chinese origin.\r\nFigure 6. HP-Socket references among visible strings\r\nInitialization procedure reveals a hard-coded AES-ECB password used for encrypting communication with the\r\nC\u0026C server.\r\nFigure 7. AES password used for C\u0026C communication\r\nThe C\u0026C address and port are also hard-coded in the module, but they are not encrypted and are visible in plain\r\ntext.\r\nFigure 8. C\u0026C server and port configuration\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 4 of 9\n\nC\u0026C communication consists of packets sent via TCP (Transmission Control Protocol). The packet has a header\r\nconsisting of 0x12 bytes, followed by a base64-encoded, AES-ECB-encrypted message. Similar to Table B-2 in\r\nthis previous analysis of the RedLeaves malware, the header contains some random and hard-coded values, plus\r\nthe length of the payload (highlighted in blue in Figure 9).\r\nFigure 9. Example of a packet sent from the victim’s machine to the C\u0026C server\r\nFigure 10. Fixed value of 0xACACBCBC; occurs in sent packets at offsets 4 – 7\r\nThe fixed value used in the original Trochilus is 0xAFAFBFBF, while in the RedLeaves variant it is\r\n0xBFD9CBAE.\r\nAfter decoding and decrypting the message, it reveals keywords such as “__handler”, “__msgid”, “__serial”, and\r\n“clientid”. Some of these keywords can be found in Trochilus, but more importantly, these messages closely\r\nresemble the RedLeaves communication protocol. \r\nFigure 11. Decoded and AES-ECB-decrypted message\r\nThe RAT implements several standard backdoor commands, including the collecting system information, starting\r\nan interactive shell, listing network connections, creating SOCKS proxy, uploading and downloading files, and\r\nother basic file operations (listing, deleting, renaming, and creating a directory). Table 2 shows message IDs and\r\nthe approximate descriptions of what functions the messages are related to.\r\nMessage\r\nID\r\nNotes\r\n0x09 Gets machine information\r\n0x0a Starts interactive shell\r\n0x0b Writes data to interactive shell\r\n0x0d Stops interactive shell\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 5 of 9\n\n0x0e Lists network connections (parameters: “ip”, “port”, “commName”, “connectType”)\r\n0x0f Sends packet (parameter: “target”)\r\n0x14, 0x19 Sends initialization packet\r\n0x16 Generates and sets clientid\r\n0x17\r\nLists network connections (parameters: “tcp_port”, “udp_port”, “http_port”, “listen_type”,\r\n“listen_port”)\r\n0x23 Creates SOCKS proxy\r\n0x24 Terminates SOCKS proxy\r\n0x25 Forwards SOCKS proxy data\r\n0x2a Uploads file (parameters: “transfer_id”, “size”)\r\n0x2b Gets file transfer ID\r\n0x2c Downloads file (parameters: “state”, “transferId”, “packageId”, “packageCount”, “file_size”)\r\n0x2d Gets transfer status (parameters: “state”, “transferId”, “result”, “packageId”)\r\n0x3c Enumerates files in root /\r\n0x3d Enumerates files in directory\r\n0x3e Deletes file\r\n0x3f Creates directory\r\n0x40 Renames file\r\n0x41 No operation\r\n0x42 Is related to operations 0x3c – 0x40 (srcPath, destPath)\r\nTable 2. List of handled messages and an explanation of their functions\r\nThe client information structure resembles the original CLIENT_INFO structure used by Trochilus, with some\r\nparameters being the same for both Trochilus and the malware we were analyzing. It is also worth noting the\r\nparameter “cpufrep”, which is likely a typo of “cpufreq” (CPU frequency).\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 6 of 9\n\nFigure 12. CLIENT_INFO structure in “ClientInfoCallbacks.h,” which is the Trochilus RAT\r\nFurther down in ClientInfoManager.cpp, the Trochilus RAT, you can see the internal names of the parameters\r\nfrom the CLIENT_INFO structure. Note that most of them have the same values as the listed parameters in Table\r\n2. Furthermore, “cn”, “ip”, “groups”, “vercode”, “priv”, “lang”, “mem”, “os”, “x64”, and “cpufrep” are the same. \r\nFigure 13. The internal names of CLIENT_INFO parameters, as defined in ClientInfoManager.cpp,\r\nthe Trochilus RAT\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 7 of 9\n\nTable 3. List of fields in the CLIENT_INFO structure of SprySOCKS\r\nWhen a client is requested to create an interactive terminal, it first interacts with the master endpoint for the\r\npseudo-terminal (PTY) subsystem (/dev/ptmx). Afterward, a new slave PTY is created with a unique device node\r\nname in the /dev/pts directory.\r\nAfter this, an execve command is launched with the parameter “[diskio]”, environment variables instructing it not\r\nto save session history (HISTFILE=/dev/null), and prompt string (PS1) containing current username (u), host\r\nname of machine (h), and working directory, which is (w) - (PS1=\\\\u@\\\\h:\\\\w \\\\$).\r\nFigure 14. Creation of the interactive shell\r\nWhen searching for the aforementioned strings, it’s possible to find a reference to YARA rules matching the Linux\r\nversion of Derusbi. It is likely that the threat actor gained inspiration from the techniques used by other pieces of\r\nmalware or possibly even had direct access to the Derusbi source code itself.\r\nThe environment ID (client ID) consists of two components. The first part is the MAC address of the first listed\r\ninterface (the malware gets the first listed interface, but if this interface is \"loopback interface\", then this interface\r\nis skipped and the next interface is considered) with a length of 6 bytes; this, when converted to a hexadecimal\r\nstring, has a length 12 bytes. The second part corresponds to processor features, returned by the CPUID\r\ninstruction called with the “CPUID_GETFEATURES” parameter. The length of the result is 8 bytes; when\r\nconverted to a hexadecimal string, this has a length of 16 bytes. Thus, the generated client ID has 14 bytes, and\r\nafter its conversion to a hexadecimal string, it has 28 bytes.\r\nAttribution\r\nWe observed the encrypted SprySOCKS payload hosted on the delivery server 207[.]148[.]75[.]122 in early June\r\n2023. The server, which was operated by the Earth Lusca threat actor, also delivered  executable files of Cobalt\r\nStrike and the Linux version of Winnti to its targets.\r\nThe SprySOCKS payload contains a version number (1.3.6) and the C\u0026C domain  lt76ux[.]confenos[.]shop. We\r\nfound another SprySOCKS payload uploaded by other users on VirusTotal with a version number of 1.1 and\r\nwhich connected to the C\u0026C domain 2e6veme8xs[.]bmssystemg188[.]us. It’s worth noting that the sibling domain\r\nrvxzn49eghqj[.]bmssystemg188[.]us resolved to 38[.]60[.]199[.]208, which overlapped with\r\n793tggz7mw91[.]itcom666[.]live. The domain itcom666[.]live is a known C\u0026C domain attributed to Earth Lusca.\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 8 of 9\n\nConclusion\r\nIn this report, we discussed the new backdoor SprySOCKS used by Earth Lusca, which expands the group’s Linux\r\narsenal. Recently, the threat actor has been highly aggressive in targeting the public-facing servers of its victims\r\nby exploiting known vulnerabilities.\r\nIt is important that organizations proactively manage their attack surface, minimizing the potential entry points\r\ninto their system and reducing the likelihood of a successful breach. Businesses should regularly apply patches\r\nand update their tools, software, and systems to ensure their security, functionality, and overall performance.\r\nCutting-edge and adaptable security solutions like Trend Micro XDRproducts play a pivotal role in safeguarding\r\norganizations against Earth Lusca and other threat actors. These technologies excel at gathering and connecting\r\nactivity data across various channels, from emails and endpoints to servers, cloud workloads, and networks. This\r\ncomprehensive approach empowers organizations with a high level of security detection and investigation\r\ncapabilities, setting it apart from conventional security solutions.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" ], "report_names": [ "earth-lusca-employs-new-linux-backdoor.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434334, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e38c8a61840633649df1599edd3a2f6340c6eeef.pdf", "text": "https://archive.orkl.eu/e38c8a61840633649df1599edd3a2f6340c6eeef.txt", "img": "https://archive.orkl.eu/e38c8a61840633649df1599edd3a2f6340c6eeef.jpg" } }