New Windows SprySOCKS Backdoor Uses Kernel Drivers to Evade Detection

A sophisticated cyber‑espionage group has quietly expanded its toolkit with new Windows versions of its SprySOCKS backdoor. This malware leverages kernel-level drivers to operate in stealth, allowing attackers to maintain persistent access, conduct covert surveillance, and evade many traditional security defenses.

ESET researchers identified two previously unknown Windows versions of the SprySOCKS backdoor, which had earlier only been seen on Linux systems. These variants are linked to the FishMonger cyber‑espionage group, which is believed to operate out of China. This state-aligned threat group is associated with other known aliases (e.g., Earth Lusca, Aquatic Panda).

Typically, FishMonger targets government and institutional organizations and uses a wide range of advanced tools for espionage. The activity involving the Windows variants occurred mainly between 2023 and 2024. This group targeted victims in Asia and Latin America, including Pakistan, Taiwan, Thailand, and Honduras.

Kernel-level driver helps malware evade detection

The new Windows variants of SprySOCKS (called WIN_DRV and WIN_PLUS) retain the core capabilities of the previous Linux backdoor, including extensive command‑and‑control communication, system reconnaissance, and file and process management. However, they are designed for Windows environments and use multiple communication protocols such as TCP, UDP, and WebSocket, which allow operators to maintain resilient connections with compromised systems.

The WIN_DRV variant uses a kernel‑level driver to significantly enhance stealth and persistence. This component allows the malware to conceal its files, processes, and network activity and redirects traffic to let attackers interact with the backdoor without revealing its listening port. On the other hand, the WIN_PLUS version lacks these deep system‑level features, but still provides a backdoor with a wide command set.

The malware uses various stealth techniques to avoid detection and maintain persistence on infected systems. It leverages DLL side‑loading to disguise malicious components as legitimate software and uses encryption to securely store and execute its payloads. This malware injects code into trusted system processes to blend in with normal activity and relies on kernel‑level mechanisms to hide its operations from security tools.

How can organizations detect and defend against SprySOCKS?

Organizations should strengthen their defensive posture by prioritizing basic security hygiene alongside advanced monitoring. This includes keeping systems and public‑facing applications fully patched to block cyberattacks. Security teams should closely monitor unusual system behavior, such as unexpected driver installations, suspicious scheduled tasks, or abnormal network traffic patterns.

It’s highly recommended to adopt deeper visibility into endpoint activity, particularly at the kernel level, where advanced threats like the WIN_DRV variant attempt to hide. Moreover, security teams must deploy robust detection tools to identify process injection, DLL side‑loading, and concealed network connections for detecting such stealthy intrusions. They should ensure regular threat hunting and maintain up‑to‑date threat intelligence, which allows organizations to recognize emerging tactics and respond more quickly.