Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS.
“The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS,” ESET said in a report shared with The Hacker News. “Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols.”
Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations. WIN_DRV has also been found to utilize kernel drivers to conceal the malware’s network connections, processes, files, and registry keys.
In addition, the variant enables TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor’s actual listening port in the network traffic.
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. The adversary is assessed to be active since at least 2021 and operated by a Chinese contractor named i-Soon.
The Slovakian cybersecurity vendor, which has assigned the name FishMonger to the threat cluster, has described it as a cyber espionage group that falls under the broader Winnti umbrella. In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
SprySOCKS is based on a Windows remote access trojan called Trochilus, and shares several common traits with RedLeaves, a backdoor that also exhibits extensive source code overlaps with Trochilus. What’s more, the use of Trochilus is linked to another Chinese threat actor known as Webworm, which, in turn, has tradecraft commonalities with both FishMonger and SixLittleMonkeys.
 |
| WIN_DRV Execution Chain |
The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF (“KW1B5206BDC1743FP.dat”) for advanced stealth, while retaining the functionality present in the Linux variant. The driver is loaded using another encrypted kernel driver named DriverLoader (“KX1B5206BDC1743DD.dat”).
The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain that drops the SprySOCKS backdoor and the driver components. However, it’s worth noting that the group has previously exploited N-day security flaws in public-facing Fortinet, GitLab, Microsoft…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
