China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

ESET researchers discovered two new Windows variants of the SprySOCKS backdoor, previously thought to be exclusive to Linux systems. These new variants, internally designated WIN_DRV and WIN_PLUS, were detailed in a report shared with The Hacker News. Both versions include a hard-coded command-and-control (C&C) configuration and are capable of communicating via TCP and UDP protocols. The discovery indicates an expansion of the threat actor's capabilities, allowing for broader targeting across different operating systems. SprySOCKS is attributed to a China-linked threat group, suggesting a coordinated effort to enhance its operational reach and stealth. The driver-based nature of these Windows variants allows them to operate with a higher degree of stealth, making detection and removal more challenging for security professionals. This development underscores the evolving tactics of sophisticated state-sponsored hacking groups.