Published on June 17, 2026
SprySOCKS Windows Backdoor Uses Kernel Driver to Hide Processes, Files, and Network Traffic
Severity
Medium
Security researchers from ESET have identified two previously undocumented Windows variants of the SprySOCKS backdoor, a malware family historically associated with the FishMonger threat group (also known as Earth Lusca or TAG-22). Previously limited to Linux environments, SprySOCKS has now expanded into Windows systems while preserving its original command-and-control (C2) architecture and functionality.
The newly discovered variants, internally named WIN_PLUS and WIN_DRV, retain the same communication protocol and command structure observed in earlier Linux versions. Telemetry data indicates active campaigns between 2023 and 2024, primarily targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. Both variants support multiple communication channels including TCP, UDP, and WebSocket protocols. They contain hardcoded C2 configurations and implement over 30 commands that enable system reconnaissance, process and service management, file operations, SOCKS proxy deployment, and remote shell access.
Analysis further revealed code similarities with previously documented Linux samples, including identical cryptographic mechanisms, message framing, and AES-ECB encrypted payloads. The malware also leverages open-source libraries such as HP-Socket for networking and Crypto++ for encryption operations.
How?
WIN_PLUS Variant
WIN_PLUS acts as a lightweight Windows implementation of SprySOCKS. It employs a print-processor-based loader that decrypts an encrypted container stored in spool directories using AES-128-ECB encryption with hardcoded keys. Once decrypted, the malware injects its payload into legitimate svchost.exe processes using process-doppelgänging-like techniques. Persistence is achieved by registering a custom print processor, allowing the malware to survive system reboots. ESET observed active infrastructure linked to this variant using Vultr-hosted IP ranges (207.148.64.0/20) and communicating over TCP port 443, UDP port 53, and WebSocket port 80.
WIN_DRV Variant
WIN_DRV represents the more sophisticated version of SprySOCKS. It uses DLL side-loading combined with scheduled tasks to obtain SYSTEM-level privileges. The loader deploys encrypted containers and installs two kernel-mode components:
- DriverLoader – A signed driver responsible for loading additional drivers directly into memory.
- RawWNPF – A stealth-focused rootkit implementing filesystem, registry, and network hiding capabilities.
RawWNPF enhances stealth by:
- Hooking NtQuerySystemInformation to conceal processes.
- Hiding malicious files using filesystem minifilter callbacks.
- Concealing registry persistence keys.
- Deploying Windows Filtering Platform (WFP) callouts to monitor and manipulate network traffic.
One of its most advanced capabilities involves redirecting specially crafted TCP traffic from any open port to the malware’s hidden listening port. Since the actual listening port remains invisible to tools such as netstat, attackers can remotely access the backdoor without exposing their communications.
Researchers also observed the use of leaked PastDSE certificates to bypass Windows driver signature enforcement. Limited evidence additionally suggests possible use of a UEFI bootkit leveraging CVE-2023-24932, although this remains unconfirmed.
Recommendation
Organizations should strengthen monitoring capabilities to detect signs of SprySOCKS activity, particularly techniques involving DLL side-loading through executables that mimic legitimate Microsoft services. Security teams should also investigate unusual files stored in directories such as %SystemRoot%\Fonts and print spool folders, as these locations have been used to store encrypted malware components and loaders.
Administrators should regularly audit scheduled tasks, especially those running with SYSTEM-level privileges, to identify unauthorized persistence mechanisms. Monitoring for abnormal Windows Filtering Platform (WFP) callouts, hidden network connections, and inconsistencies between endpoint telemetry and standard system utilities can help uncover rootkit activity designed to evade detection.
Because SprySOCKS employs kernel-level stealth mechanisms, organizations should review newly installed or unsigned kernel drivers, particularly those loaded directly into memory. Network monitoring should also be enhanced to detect outbound connections to the 207[.]148[.]64[.]0/20 IP range, along with suspicious TCP, UDP, or WebSocket communications that may indicate command-and-control activity.
To reduce exposure, systems should be patched against known vulnerabilities, including CVE-2023-24932, which may potentially be leveraged as part of advanced attack chains. Additionally, deploying endpoint detection and response (EDR) solutions capable of identifying kernel-level threats and rootkit behavior can significantly improve an organization’s ability to detect and respond to sophisticated malware such as SprySOCKS.
IOCs
Files
| SHA-1 | Filename | Detection | Description |
| 955BFC3DCC867256F9F46A606DEB0779FA3416D8 | KX1B5206BDC1743DD.dat | Win64/SprySOCKS.A | Encrypted DriverLoader driver |
| 44DC4A08C5EB0972C8E18B0E01284E06F09006BB | bthcam.sys | Win64/Agent.ESB | DriverLoader driver |
| AB87B29B6F79487C75CA08D102E79001E536F083 | KW1B5206BDC1743FP.dat | Win64/SprySOCKS.A | Encrypted RawWNPF driver |
| 6490B8E4AADE25A3EE2DA9A47F312DB2122470BC | X1B5206BDC1743DD.dat | Win64/SprySOCKS.A | Encrypted WIN_DRV container |
| E7484C24B88A1A2407A8F09D734F9A993670285B | klelam00007.zip | Multiple | Archive containing WIN_DRV components |
| 621D1952839BE4B0A1B0E66E87BCE5062CA368ED | tpsvcloc.dll | Win64/Agent.CXZ | SprySOCKS loader |
| 2457EED2AB28E37741F10914EF929DAD2C8079D4 | VSPMsg.dll | Win64/Agent.CXZ | First-stage loader |
| D2C706B1EAF662BF0CE124B5032F73ED84BDA24A | N/A | Win64/SprySOCKS.A | WIN_PLUS backdoor |
| 5F3B87CEF56683D9A9E19186E0FD0D8019B559C4 | N/A | Win64/Agent.CXZ | SprySOCKS loader |
| C793CA31E3F6628B5C8986146953BF66232E9A30 | config.dat | Win64/SprySOCKS.A | Encrypted WIN_PLUS container |
| 037DB2445F3D72388CB2CF8510563148E5A184BE | N/A | BAT/Runner.KS | Persistence batch script |
Network Indicators
- IP Range: 207[.]148[.]64[.]0/20
- TCP Port: 443
- UDP Port: 53
- WebSocket Port: 80
Source
https://gbhackers.com/sprysocks-windows-backdoor-uses-kernel/