RESEARCHERS have identified a new Windows version of the SprySOCKS backdoor that runs with kernel‑level stealth, allowing it to evade typical detection tools while targeting government networks according to ESET analysis. The backdoor is linked to the China‑aligned espionage group Earth Lusca, which has previously used the malware against Linux hosts.
Two distinct Windows variants have been observed, labelled WIN_DRV and WIN_PLUS, each installed as a malicious driver to gain deep system access as reported by Infosecurity Magazine. These drivers hook kernel callbacks and modify system structures to conceal their presence from standard security scanners.
Once active, SprySOCKS can perform system reconnaissance, manipulate running processes, read and write files, and capture keystrokes, giving attackers extensive control over compromised machines per The Hacker News. The functionality mirrors that of the original Linux version but now benefits from the heightened privileges afforded by kernel execution.
ESET notes that the threat has been active since at least 2023, with recent intrusions observed against government entities in Honduras and Taiwan. Analysts also warn that the group may be experimenting with UEFI bootkit techniques to maintain persistence across reboots.
Defenders should monitor kernel driver loading events for unsigned or unexpectedly signed binaries and review system logs for anomalous callback registrations. Employing memory integrity solutions that protect kernel structures can help detect the stealth techniques used by WIN_DRV and WIN_PLUS.
Organisations are advised to enforce strict driver signing policies, limit privileged account access, and keep endpoint detection and response tools updated with the latest threat intelligence. Network segmentation and application control further reduce the risk of lateral movement once a foothold is established.