Researchers at ESET have discovered two previously unknown Windows variants of SprySOCKS, a backdoor previously thought to be Linux-only and linked to Chinese threat actors. The new variants, internally labelled WIN_DRV and WIN_PLUS, use kernel-level drivers to evade detection and communicate with attacker infrastructure over TCP and UDP. This significantly expands the threat’s attack surface to Windows environments, including cloud-hosted Windows workloads.

Security Architect’s Take: Review endpoint detection coverage on Windows-based cloud workloads (e.g. Azure VMs, AWS EC2 Windows instances) to ensure kernel-level driver activity and unsigned or anomalous driver loads are monitored; consider enforcing Windows Defender Application Control (WDAC) or equivalent allowlisting policies to block unauthorised kernel drivers.

Original advisory: China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth