The Hacker News ·EN News source Research Earth Lusca FishMongerSprySOCKSTrochilusRawWNPF
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth
CVE Tools coverage
Researchers report two new Windows builds of the SprySOCKS backdoor—tracked internally as WIN_DRV and WIN_PLUS—previously believed to target Linux. The Windows versions use hard-coded command-and-control with TCP, UDP, and WebSocket communications and expand capabilities for reconnaissance, service/process management, and file operations, with WIN_DRV leveraging kernel drivers and WIN_PLUS using the Windows Print Spooler to load the payload more covertly. Evidence suggests UEFI-boot persistence may be involved, potentially exploiting CVE-2023-24932, a Windows Boot Manager security bypass that Microsoft fixed in May 2023.