China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Summary

Cybersecurity researchers have uncovered two previously undocumented Windows variants of the SprySOCKS backdoor, attributed to the China-nexus threat actor Earth Lusca (also known as Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel). The Windows variants, designated WIN_DRV and WIN_PLUS, support over 30 commands and employ kernel drivers to conceal malware network connections, processes, files, and registry keys. WIN_DRV uses RawWNPF driver for advanced stealth and TCP traffic diversion, while WIN_PLUS leverages the Windows Print Spooler service for execution, expanding the backdoor's reach beyond its previously documented Linux-only deployment.

Full text

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth Ravie LakshmananJun 16, 2026Malware / Cyber Espionage Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols." Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations. WIN_DRV has also been found to utilize kernel drivers to conceal the malware's network connections, processes, files, and registry keys. In addition, the variant enables TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's actual listening port in the network traffic. SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. The adversary is assessed to be active since at least 2021 and operated by a Chinese contractor named i-Soon. The Slovakian cybersecurity vendor, which has assigned the name FishMonger to the threat cluster, has described it as a cyber espionage group that falls under the broader Winnti umbrella. In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022. SprySOCKS is based on a Windows remote access trojan called Trochilus, and shares several common traits with RedLeaves, a backdoor that also exhibits extensive source code overlaps with Trochilus. What's more, the use of Trochilus is linked to another Chinese threat actor known as Webworm, which, in turn, has tradecraft commonalities with both FishMonger and SixLittleMonkeys. WIN_DRV Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant. The driver is loaded using another encrypted kernel driver named DriverLoader ("KX1B5206BDC1743DD.dat"). The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain that drops the SprySOCKS backdoor and the driver components. However, it's worth noting that the group has previously exploited N-day security flaws in public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra instances to obtain a foothold. "The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," ESET researcher Martin Smolár said. WIN_PLUS Execution Chain "The most notable differences can be spotted in the way the final backdoor is loaded, in the improved stealthiness, and in the component names and paths used. The WIN_PLUS execution scheme, in contrast, adopts a different approach. It leverages the Windows Print Spooler service ("spoolsv.exe") as a starting point to execute a first-stage loader that runs as a print processor. It's designed to inject and run a SprySOCKS loader into a newly created "svchost.exe" process to launch the backdoor. Both WIN_DRV and WIN_PLUS variants of SprySOCKS are DLLs that support three channels for C2 communications over TCP, UDP, and WebSocket and run commands issued by the operator on the compromised host. This includes collecting system information, launching an interactive console, enumerating processes, getting C2 communication details, listing all services, initialising a SOCKS proxySOCKS proxy, uploading/downloading files, and running existing files. Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. The WIN_PLUS version was first detected in July 2024 on a victim device geolocated to Pakistan. What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932 (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the BlackLotus UEFI bootkit. The security flaw was addressed by Microsoft in May 2023. "The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger's cross-platform capabilities," ESET said. "The Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cyber espionage, cybersecurity, ESET, linux, Malware, UEFI Bootkit ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — SprySOCKS
• malware — WIN_DRV
• malware — WIN_PLUS
• malware — RawWNPF
• malware — DriverLoader
• malware — Trochilus
• malware — RedLeaves

Entities