Cybersecurity researchers have identified two previously undocumented Windows variants of the SprySOCKS backdoor, a tool first tied to China-linked espionage activity and now seen in attacks that may have targeted government organizations in Honduras, Taiwan, Thailand and Pakistan between 2023 and 2024.
KEY FACTS
- Variants The Windows builds are labeled WIN_DRV and WIN_PLUS.
- Capabilities They support more than 30 commands and can communicate over TCP, UDP and WebSocket.
- Stealth WIN_DRV uses kernel drivers to hide network connections, processes, files and registry keys.
- Targeting Evidence points to deployments in 2023 and 2024 against government entities in several countries.
A technical analysis from ESET says both variants are part of SprySOCKS version 1.8 and keep the core architecture of the Linux backdoor while replacing some functions with Windows-native components.
SprySOCKS was first publicly documented in 2023 and linked to the Earth Lusca cluster, which the wider security community also tracks as Aquatic Panda, Bronze University, Charcoal Typhoon and RedHotel. The report says the group is associated with the FishMonger name and with the contractor i-Soon.
WIN_DRV uses an encrypted kernel driver for added stealth, while WIN_PLUS begins with the Windows Print Spooler service and injects a loader into a new svchost.exe process. Both variants can collect system information, enumerate processes, manage services, upload and download files, run commands and set up a SOCKS proxy.
The disclosure also notes limited signs of a UEFI bootkit and possible abuse of CVE-2023-24932, a Windows Boot Manager flaw Microsoft patched in May 2023. The initial access method was not determined.
WHY IT MATTERS
The Windows variants show that SprySOCKS is no longer limited to Linux systems and that the operators have broadened their tools for stealth and persistence. That raises the risk of harder-to-detect intrusions on public and government networks.