SprySOCKS on Windows: ESET Detects WIN_DRV and WIN_PLUS with Driver Stealth

Colleagues: note that Windows variants of the SprySOCKS backdoor have been discovered. ESET tracked WIN_DRV and WIN_PLUS: C2 channels over TCP/UDP/WebSocket and more than 30 commands for data exfiltration, process and file control. WIN_DRV employs kernel drivers (RawWNPF, DriverLoader) to conceal connections, processes and registry entries and to reroute TCP via randomized ports. WIN_PLUS persists via the Print Spooler (print processor) and injects into svchost. Both variants were observed in 2023–2024 attacks against government entities. Why it matters: a Windows port combined with driver-level stealth complicates detection—ensure patching, monitor drivers and integrity controls. How will you bolster defenses against such chains? #cybersecurity #APT #ESET #stealth


Latest comments
No comments yet.