Overview
- ESET disclosed on Tuesday that SprySOCKS, previously seen as a Linux-only backdoor, has two Windows variants labeled WIN_DRV and WIN_PLUS that were used in real attacks.
- WIN_DRV installs a kernel driver chain (DriverLoader → RawWNPF) that acts like a rootkit to hide files, processes, registry keys and network connections from user-level tools.
- WIN_PLUS uses the Windows Print Spooler as a launch point and relies on DLL side-loading and process injection to start the backdoor without obvious indicators.
- ESET telemetry links deployments in 2023–2024 to government organizations in Taiwan, Thailand, Pakistan and Honduras and attributes the activity with high confidence to the China-linked Earth Lusca/FishMonger cluster.
- Researchers warn the tools support TCP, UDP and WebSocket C2, 30+ espionage commands, SOCKS proxying and keystroke logging, and they reported limited indications of a possible UEFI bootkit that could enable persistence below the OS level.