China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth
Summary
Researchers have identified two new Windows variants of the SprySOCKS backdoor, previously thought to be exclusive to Linux. These variants, internally named WIN_DRV and WIN_PLUS, are equipped with hard-coded command-and-control configurations and can communicate via TCP and UDP.
IFF Assessment
FOE
The discovery of new, stealthier backdoor variants for a widely used operating system poses an increased threat to defenders.
Defender Context
Defenders should be aware of the SprySOCKS backdoor's expansion to Windows, particularly its driver-based stealth capabilities which can make detection more challenging. Monitoring for unusual network communications and system behavior related to network protocols will be crucial for identifying potential compromises.