Cybersecurity researchers have uncovered two previously undocumented Windows versions of the SprySOCKS backdoor, a malware family that was previously known to target Linux systems exclusively.
The newly identified variants, named WIN_DRV and WIN_PLUS, significantly expand the malware’s capabilities and demonstrate a growing focus on cross-platform cyber espionage operations.
New Windows Variants Expand SprySOCKS Capabilities
Analysis of the malware revealed that both Windows variants come with hardcoded command-and-control (C2) configurations and support communications over multiple protocols, including:
- TCP
- UDP
- WebSocket
Like the Linux version, the Windows variants support more than 30 commands that enable attackers to perform a wide range of malicious activities, including:
- Collecting system information
- Enumerating running processes
- Managing Windows services
- Performing file system operations
- Executing commands remotely
These features provide operators with extensive control over compromised systems.
WIN_DRV Uses Kernel Drivers for Advanced Stealth
Among the two variants, WIN_DRV stands out due to its use of kernel-level drivers designed to conceal malicious activity.
The malware leverages a driver known as RawWNPF to hide:
- Network connections
- Running processes
- Files
- Registry keys
Another encrypted driver called DriverLoader is used to load the stealth component into the system.
Researchers also identified a traffic-diversion feature that enables attackers to send commands through random TCP ports on the victim’s machine. This technique helps conceal the actual listening port used by the backdoor, making detection more difficult.
SprySOCKS and Its Links to Chinese Cyber Espionage
SprySOCKS was first publicly documented in 2023 and has been linked to a China-aligned threat actor commonly tracked under multiple aliases, including:
- Aquatic Panda
- Bronze University
- Charcoal Typhoon
- RedHotel
The group is believed to have been active since at least 2021 and is associated with long-running cyber espionage operations targeting organizations worldwide.
Researchers classify the threat cluster as part of the broader Winnti ecosystem, a collection of Chinese cyber-espionage groups known for targeting governments, technology firms, and critical infrastructure.
Relationship to Trochilus and RedLeaves Malware
Technical analysis indicates that SprySOCKS is based on Trochilus, a Windows remote access trojan that has been used in numerous espionage campaigns.
The malware also shares substantial source code similarities with RedLeaves, another backdoor commonly associated with Chinese threat actors.
Security researchers have additionally noted operational overlaps between groups using Trochilus, RedLeaves, and other malware families linked to Webworm and SixLittleMonkeys, suggesting shared development resources or common infrastructure.
How the WIN_DRV Attack Chain Works
The exact initial access method remains unknown, but investigators observed a multi-stage attack process.
The infection chain begins with a malicious batch script that creates and executes a scheduled task. This task triggers a DLL side-loading sequence that ultimately installs:
- The SprySOCKS backdoor
- RawWNPF kernel driver
- DriverLoader component
Previous campaigns linked to the same threat actor have exploited known vulnerabilities in publicly exposed systems, including:
- Fortinet products
- GitLab servers
- Microsoft Exchange Server
- Progress Telerik UI
- Zimbra Collaboration Suite
These vulnerabilities have historically been used to gain an initial foothold inside targeted networks.
WIN_PLUS Uses Print Spooler Injection Techniques
The second variant, WIN_PLUS, employs a different execution strategy focused on process injection.
Instead of relying on kernel drivers, WIN_PLUS abuses the Windows Print Spooler service (spoolsv.exe) as an entry point.
The malware executes a first-stage loader operating as a print processor, which then injects a SprySOCKS loader into a newly created svchost.exe process.
This technique enables the backdoor to operate under the guise of legitimate Windows processes, helping it blend into normal system activity.
Powerful Remote Access Features
Both WIN_DRV and WIN_PLUS function as DLL-based backdoors capable of receiving and executing commands from remote operators.
Supported capabilities include:
- Gathering detailed system information
- Launching interactive command shells
- Enumerating running processes
- Retrieving C2 communication details
- Listing Windows services
- Creating SOCKS proxy tunnels
- Uploading and downloading files
- Executing existing programs
The extensive feature set allows attackers to maintain persistent access and conduct long-term surveillance activities.
Government Organizations Among the Targets
Evidence suggests that the Windows variants were deployed in cyber espionage operations between 2023 and 2024.
Organizations targeted during these campaigns were located in:
- Honduras
- Taiwan
- Thailand
- Pakistan
Researchers identified the first known WIN_PLUS infection on a system located in Pakistan during July 2024.
Possible Connection to UEFI Bootkit Activity
Investigators also discovered limited evidence suggesting the attackers may have leveraged a UEFI bootkit during some intrusions.
The activity appears to be linked to exploitation of CVE-2023-24932, a Windows Boot Manager security feature bypass vulnerability patched by Microsoft in May 2023.
The flaw gained widespread attention due to its association with the infamous BlackLotus UEFI bootkit, one of the most sophisticated firmware-level threats observed in recent years.
While the evidence remains limited, the potential use of a UEFI bootkit would indicate a significantly advanced level of persistence and stealth.
Cross-Platform Threat Continues to Evolve
The emergence of WIN_DRV and WIN_PLUS marks a significant evolution for SprySOCKS, transforming it from a Linux-focused threat into a cross-platform malware family capable of targeting Windows environments.
Despite platform-specific modifications, the Windows variants retain much of the malware’s original architecture, including its communication protocols, encryption mechanisms, and command-handling framework.
The addition of kernel-level stealth capabilities and advanced process injection techniques demonstrates an ongoing effort to improve evasion, persistence, and operational effectiveness in cyber espionage campaigns.
