China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS.

"The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols."

Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations. WIN_DRV has also been found to utilize kernel drivers to conceal the malware's network connections, processes, files, and registry keys.

In addition, the variant enables TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's actual listening port in the network traffic.

SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. The adversary is assessed to be active since at least 2021 and operated by a Chinese contractor named i-Soon.