China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. ESET reported the discovery of these variants, internally designated as WINDRV and WINPLUS, which now extend the threat to Windows environments.

The Windows variants come with a hard-coded command-and-control (C&C) configuration and support communication over TCP and UDP. This marks a significant expansion of the backdoor's capabilities, moving beyond its original Linux-only scope and into a more widely used operating system.

The WINDRV variant leverages driver-based stealth mechanisms, allowing it to evade traditional security measures. The WINPLUS variant offers additional functionality, though specific details remain limited. ESET's analysis indicates both variants are designed for persistent, covert access to compromised systems.

No patches or specific mitigations have been publicly disclosed yet. Organizations are advised to monitor for unusual network traffic patterns, particularly over TCP and UDP, and review system drivers for unauthorized modifications. ESET's full report is expected to provide further technical details.

The attribution to China-linked threat actors underscores the ongoing geopolitical tensions in cybersecurity. The expansion of SprySOCKS to Windows suggests a broadening of attack vectors that could target a wider range of industries, particularly those using Windows-based infrastructure.