China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

ESET discovered two Windows variants of the Linux-only SprySOCKS backdoor, named WIN_DRV and WIN_PLUS. WIN_DRV uses kernel drivers to hide network connections, processes, files, and registry keys. The backdoor supports over 30 commands and is linked to China-nexus threat actor Earth Lusca.