ESET Research published findings on June 16, 2026 disclosing WIN_DRV, a previously undocumented Windows kernel-mode rootkit linked to Earth Lusca, a China-aligned threat actor tracked by multiple vendors. WIN_DRV is a Windows port of SprySOCKS — a Linux backdoor ESET first disclosed in 2023 that was itself derived from the open-source Derusbi malware framework — and represents the first confirmed Windows variant of SprySOCKS. ESET has published YARA detection rules, indicators of compromise, and affected driver file hashes, and is coordinating disclosure with Microsoft to update the Vulnerable Driver Blocklist.
What WIN_DRV Is and How It Operates at Ring-0
WIN_DRV operates as a kernel-mode driver signed with a stolen or fraudulently obtained Extended Validation (EV) certificate. By executing at ring-0 privilege — the highest privilege level on the Windows architecture — the rootkit can hide its network connections from Windows network enumeration APIs, conceal associated processes from Task Manager and security product hooks, and intercept plaintext credentials from LSASS memory before they are encrypted.
This combination of capabilities makes WIN_DRV among the hardest classes of malware to detect with conventional endpoint security tools. Security products that operate at user-mode (ring-3) and rely on Windows APIs for process and network visibility are blind to activity that the kernel-mode rootkit actively conceals. WIN_DRV can survive endpoint agent reinstalls if the driver persists in firmware or boot-sector areas.
Signed With a Stolen EV Certificate
WIN_DRV carries a stolen or fraudulently obtained Extended Validation certificate. Windows kernel-mode drivers must be signed to load on 64-bit Windows systems with Secure Boot enabled; a stolen EV certificate satisfies this requirement without triggering Windows’ own driver-signing enforcement. Microsoft’s Vulnerable Driver Blocklist has not yet been updated to include the stolen certificate at time of publication, though ESET is coordinating disclosure with Microsoft to remediate this.
Infection Chain and Targeted Countries
ESET observed WIN_DRV deployed in intrusions targeting government ministry networks in Taiwan, Thailand, Pakistan, and Honduras — victimology consistent with Earth Lusca’s established focus on Asia-Pacific and Latin American government entities of strategic interest to the PRC.
Infection chains began with exploitation of internet-facing web applications. After gaining initial access, the threat actor deployed a first-stage web shell, elevated privileges via a known local privilege escalation vulnerability, and then loaded WIN_DRV as the persistent implant. The rootkit communicates with its command-and-control infrastructure over encrypted HTTP/2, mimicking legitimate cloud-service traffic patterns to blend with normal outbound traffic.
Earth Lusca and the SprySOCKS Lineage
Earth Lusca is a China-aligned threat actor tracked by multiple vendors since at least 2021, with a consistent focus on government, diplomatic, and research targets in Asia-Pacific and Latin America. ESET first disclosed SprySOCKS — the Linux backdoor from which WIN_DRV is derived — in 2023. SprySOCKS itself was derived from Derusbi, an open-source malware framework with documented prior use by multiple China-nexus threat actors.
WIN_DRV represents Earth Lusca’s expansion of the SprySOCKS implant family from Linux servers to Windows workstations. This broadens the group’s targeting capability to include the Windows-predominant environments found in government ministries and enterprise organizations, which were previously outside the reach of the Linux-native SprySOCKS.
Detection and Defensive Guidance
ESET has published a detailed technical analysis including YARA detection rules, a list of indicators of compromise, and affected driver file hashes. Organizations should apply the published YARA rules and IOCs immediately to hunt for WIN_DRV presence across Windows endpoints.
Government and enterprise organizations in Taiwan, Thailand, Pakistan, Honduras, and other countries consistent with Earth Lusca’s victimology should treat the WIN_DRV disclosure as a direct threat to their Windows workstation environments. Internet-facing web applications should be reviewed for web shell presence, as this is the confirmed initial access vector in observed intrusion chains.
Until Microsoft updates the Vulnerable Driver Blocklist to include the stolen EV certificate used by WIN_DRV, the signed driver will not be blocked by Windows’ built-in driver-signing enforcement. Organizations running Windows Defender Credential Guard can reduce WIN_DRV’s ability to harvest LSASS credentials, though the rootkit’s process and network concealment capabilities remain active regardless of Credential Guard deployment.
