China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

ESET researchers uncovered two previously unknown Windows variants of SprySOCKS, a backdoor linked to Chinese threat actors that was previously thought to operate only on Linux systems.

The newly identified variants, designated WIN_DRV and WIN_PLUS, represent a significant expansion of the malware's operational scope. WIN_DRV operates as a kernel-mode driver, providing deep system access and enhanced stealth capabilities. WIN_PLUS functions as a user-mode implant. Both variants contain hard-coded command-and-control configuration data and support communication over TCP and UDP protocols.

SprySOCKS joins a growing category of cross-platform backdoors deployed by Chinese state-sponsored groups. The driver-based approach in WIN_DRV follows a pattern observed in other advanced persistent threat campaigns, where kernel-mode execution bypasses user-space security controls and hinders detection by endpoint protection tools.

The malware's ability to maintain persistent C&C connectivity through multiple transport protocols indicates attackers designed it for reliability across diverse network environments. Hard-coded configurations simplify deployment but also suggest targeting of specific high-value victims rather than indiscriminate distribution.

Windows environments running affected systems face risks including unauthorized remote command execution, lateral movement within networks, and long-term compromise persistence. Organizations cannot detect kernel-mode driver activity through standard process monitoring. The backdoor's cross-platform nature means defenders cannot assume Linux-only detection strategies provide complete protection.

The emergence of WIN_DRV and WIN_PLUS suggests SprySOCKS operators have significantly expanded their targeting beyond Linux infrastructure. Organizations should treat this discovery as an elevated threat indicator, particularly those managing sensitive data or critical infrastructure. Security teams should review kernel-mode driver logging, inspect unexpected kernel module loads, and correlate suspicious network communications to TCP/UDP patterns matching known SprySOCKS infrastructure.

ESET