China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

ESET researchers have identified two previously undocumented Windows variants of the SprySOCKS backdoor, an implant previously believed to target only Linux systems. Dubbed WINDRV and WINPLUS, these variants signal an expansion of the threat actor's capabilities into the Windows ecosystem.

Both variants incorporate hard-coded command-and-control (C2) configurations enabling communication over TCP and UDP. The WIN_DRV variant is particularly concerning, as it uses a kernel-mode driver for stealthy operation and persistence, making it significantly harder to detect with standard security tools.

While ESET's report did not disclose specific delivery mechanisms, the backdoor's expansion likely involves phishing or compromised software updates. The C2 infrastructure supports encrypted traffic, complicating network-based detection. No CVSS score or active exploitation details were provided.

No patches or mitigation strategies have been released, as this is a custom backdoor rather than a software vulnerability. Organizations should monitor for suspicious kernel-mode driver installations and anomalous network traffic to C2 endpoints. Memory forensics may be required to detect WIN_DRV, given its low-level access.

Attribution ties this activity to China-linked threat actors based on historical SprySOCKS usage, though ESET did not specify a particular group. This development underscores the growing sophistication of adversaries porting Linux-specific tools to Windows, narrowing the detection gap between platforms.