Ethical Hacking News
Chinese state-sponsored threat actors have expanded the SprySOCKS backdoor to Windows with driver-based stealth capabilities, posing a significant threat to government organizations worldwide.
The SprySOCKS backdoor has expanded from Linux to Windows with unprecedented stealth capabilities. The WIN_DRV variant retains the core architecture of its Linux predecessor while substituting Windows-native mechanisms for improved stealth. The WIN_PLUS variant uses a different approach, leveraging the Windows Print Spooler service to execute a first-stage loader and inject the backdoor. Both variants support three channels for C2 communications over TCP, UDP, and WebSocket. Researchers believe these variants were deployed between 2023 and 2024 in attacks targeting government organizations in multiple countries.
In recent months, cybersecurity researchers have been tracking a significant development in the realm of threat intelligence, as a previously Linux-only backdoor called SprySOCKS has expanded to Windows with unprecedented stealth capabilities. This new variant, dubbed WIN_DRV and WIN_PLUS, poses a substantial threat to organizations operating on Windows-based systems, particularly those in the government sector.
The discovery of these variants was first reported by ESET, a Slovakian cybersecurity vendor that has been tracking a China-nexus state-sponsored threat actor known as Earth Lusca, also referred to as Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. This adversary group has been linked to several high-profile attacks targeting organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S.
According to ESET researcher Martin Smolár, the WIN_DRV variant retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game. This approach leverages TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's actual listening port in the network traffic.
In contrast, the WIN_PLUS variant adopts a different approach, leveraging the Windows Print Spooler service ("spoolsv.exe") as a starting point to execute a first-stage loader that runs as a print processor. This enables it to inject and run a SprySOCKS loader into a newly created "svchost.exe" process to launch the backdoor.
Both variants of SprySOCKS are DLLs that support three channels for C2 communications over TCP, UDP, and WebSocket and run commands issued by the operator on the compromised host. This includes collecting system information, launching an interactive console, enumerating processes, getting C2 communication details, listing all services, initialising a SOCKS proxySOCKS proxy, uploading/downloading files, and running existing files.
The discovery of these variants represents a significant expansion of FishMonger's cross-platform capabilities, a threat group that has been tracked by ESET since 2021. The attack chain for the WIN_DRV variant uses an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain that drops the SprySOCKS backdoor and the driver components.
Researchers believe that these variants may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. The evidence points to the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932, a security feature bypass vulnerability in the Windows Boot Manager famously associated with the BlackLotus UEFI bootkit.
The emergence of SprySOCKS on Windows highlights the increasing sophistication and stealth capabilities of Chinese threat actors. As cybersecurity researchers continue to track this threat actor, it is essential for organizations to remain vigilant and take proactive measures to protect their systems against these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Expanding-Shadows-The-Emergence-of-China-Linked-SprySOCKS-Backdoor-on-Windows-ehn.shtml
https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html
Published: Wed Jun 17 23:48:56 2026 by llama3.2 3B Q4_K_M
