ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
Summary
Hide ▲
Show ▼
ESET identified Windows variants of SprySOCKS—WIN_DRV and WIN_PLUS—expanding a backdoor family previously known as Linux-only. The version 1.8 variants support TCP, UDP, and WebSocket C2, use kernel drivers and a Windows Print Spooler execution path for stealth, and were linked to attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras. ESET also noted limited indications of a UEFI bootkit chain possibly involving CVE-2023-24932.
Related Happenings
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score22
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
How related:
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS.
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityHow related: Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS.
About this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
H score39
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Linux kernel Dirty Frag and Copy Fail 2 privilege escalation (multiple vulnerabilities)
Vulnerability
H score39
First: 11.05.2026 11:15
Last: 11.05.2026 11:15
Sources 1
About this happening:
A newly disclosed **Linux kernel** local privilege-escalation flaw, **Dirty Frag and Copy Fail 2**, can let an unprivileged user reach **root** on affected systems. The bug chains...
Linux kernel Dirty Frag and Copy Fail 2 privilege escalation (multiple vulnerabilities)
VulnerabilityAbout this happening: A newly disclosed **Linux kernel** local privilege-escalation flaw, **Dirty Frag and Copy Fail 2**, can let an unprivileged user reach **root** on affected systems. The bug chains...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
H score39
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
Microsoft security patch release for CVE-2026-20805
Security Patch Release
H score57
First: 14.01.2026 02:47
Last: 14.01.2026 02:47
Sources 1
About this happening:
**Microsoft** released January 2026 security updates for **Windows** and supported software, fixing **at least 113 vulnerabilities** and **8 critical flaws**. The release includes...
Microsoft security patch release for CVE-2026-20805
Security Patch ReleaseAbout this happening: **Microsoft** released January 2026 security updates for **Windows** and supported software, fixing **at least 113 vulnerabilities** and **8 critical flaws**. The release includes...
Timeline
-
16.06.2026 12:00 3 articles · 1h ago
ESET exposes Windows SprySOCKS variants with kernel-level stealth and IOC guidance
Technical Analysis UpdateESET identified Windows variants of SprySOCKS used in attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024, and attributed the activity with high confidence to Earth Lusca/FishMonger. The research describes WIN_DRV and WIN_PLUS, their TCP, UDP, and WebSocket C2, kernel-level stealth, driver loading, and persistence through scheduled tasks, IFEO, and Windows Print Processor registration, while also publishing indicators of compromise for defenders.
Show sources
- Windows version of SprySOCKS Linux malware used to attack govt orgs — www.bleepingcomputer.com — 16.06.2026 12:00
- Windows version of SprySOCKS Linux malware used to attack govt orgs — www.bleepingcomputer.com — 16.06.2026 12:00
- China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth — thehackernews.com — 16.06.2026 12:44