ESET researchers have identified two previously unknown Windows variants of the SprySOCKS backdoor, a malware tool that security teams had only observed targeting Linux systems until now. The discovery marks a significant expansion of the threat's capabilities and potential victim pool, as Windows systems represent the majority of enterprise endpoints worldwide.

The two variants, which ESET has designated WIN_DRV and WIN_PLUS based on internal markers found in the malware code, both contain hard-coded command-and-control server configurations. This design choice suggests the operators are targeting specific organizations rather than conducting broad opportunistic attacks. The backdoors support communication over both TCP and UDP protocols, giving attackers flexibility in how they maintain connections to compromised systems.

SprySOCKS has been linked to China-based threat actors in previous research, though ESET's report does not specify which particular group is behind these Windows variants. The backdoor's primary function is to establish persistent remote access to infected machines, allowing attackers to execute commands, exfiltrate data, and deploy additional malicious tools. The expansion from Linux to Windows platforms indicates the threat actors are investing resources to broaden their operational reach.

The discovery affects organizations across all sectors that rely on Windows infrastructure, particularly those in industries previously targeted by China-linked espionage groups such as government, defense, technology, and telecommunications. The hard-coded nature of the command-and-control infrastructure may limit the backdoor's spread but increases its effectiveness against pre-selected targets. Security teams should be especially vigilant if their organizations operate in sectors of strategic interest to state-sponsored actors.

Organizations should immediately review network logs for suspicious TCP and UDP traffic patterns, particularly connections to unfamiliar external IP addresses. Security teams should update their endpoint detection and response tools with indicators of compromise related to SprySOCKS and conduct thorough scans of Windows systems for signs of the WIN_DRV and WIN_PLUS variants. Network segmentation and strict egress filtering can help limit the backdoor's ability to communicate with external controllers even if initial compromise occurs.

Source: https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html