China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP,

The article reports that ESET has discovered two new Windows variants (WIN_DRV and WIN_PLUS) of the previously Linux-only SprySOCKS backdoor, used by the China-linked FishMonger threat group against government targets in multiple countries.[1][2] These variants use hard-coded C2 configurations, support more than 30 commands for system control and data exfiltration, and communicate over TCP, UDP, and WebSocket; WIN_DRV additionally abuses kernel drivers to hide processes, files, registry keys, and network connections, and to divert TCP traffic to conceal the true listening port.[1][2] From a CyberSE.AI perspective, such stealthy, cross-platform backdoors increase the risk that AI-enabled agents or data pipelines operating on compromised Windows infrastructure could be covertly monitored or manipulated, especially where agents have elevated access to sensitive systems or logs. Organizations should apply Continuous AI Red Teaming to simulate backdoor-assisted attacks against AI agents and workflows, validate that AI-related telemetry cannot be silently tampered with, and ensure detection and response controls remain effective even when kernel-level stealth techniques are used by a