Friday 26 June 2026 09:47:38 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Malware & Botnets

Windows Gains a New Silent Passenger: SprySOCKS Steps Into the Kernel

17 June 2026 12:42Malware & BotnetsNorth America / USASIGNALMONK

A backdoor long tied to Linux now has Windows builds, and one of them reportedly uses a kernel driver to hide itself from ordinary visibility tools.

When malware crosses an operating system boundary, defenders should pay attention. SprySOCKS, a backdoor previously associated with Linux activity, now appears in Windows form as two builds named WIN_DRV and WIN_PLUS. The most consequential detail is WIN_DRV's use of a kernel-mode driver, a low-level component that can make hostile activity much harder to spot from user mode.

Fast Facts

  • SprySOCKS now has Windows variants labeled WIN_DRV and WIN_PLUS.
  • Both builds preserve the original SprySOCKS protocol and command set.
  • WIN_DRV reportedly uses a kernel-mode driver to hide processes, files, and network traffic.
  • The family has been linked in research to FishMonger, also tracked as Earth Lusca or TAG-22.
  • The shift from Linux-only to Windows broadens the family’s operational reach.

Why the Windows port matters

The main story is not just that a new sample exists. It is that the same operator workflow can now be used across different platforms while keeping the backdoor’s core protocol and command handling intact. That makes the Windows builds more than a simple rewrite. They look like a deliberate extension of an existing toolset.

From a defender’s perspective, the kernel-driver element is the sharpest edge. Windows kernel components run with elevated privilege, which means they can interfere with what endpoint tools think they are seeing. If a driver is used to hide processes, files, or network activity, a clean-looking user interface does not necessarily mean a clean machine. That is why kernel-level visibility, boot integrity checks, and driver controls matter so much in response workflows.

The broader risk is operational confusion. Network monitors may see one thing, endpoint agents another, and file or process listings something else entirely. In that kind of mismatch, incident responders need to correlate telemetry instead of trusting a single view of the system. At the time of writing, public information has not fully established the complete scope of deployment, the effectiveness of the hiding features, or whether all affected environments share the same loader path.

Microsoft’s security guidance on Secure Boot, Trusted Boot, and ELAM fits this threat model well. MITRE ATT&CK also treats malicious driver loading as a recognized Windows persistence and execution path. Those controls do not solve everything, but they raise the cost of hiding in kernel space and improve the odds that tampering is caught early.

For teams defending Windows fleets, the lesson is practical: review driver allowlisting, watch for unexpected .sys activity, and compare boot-integrity data with endpoint telemetry. The fact that a backdoor family can move from Linux into Windows while keeping its core logic intact is a reminder that adversaries value portability. The kernel is where that portability becomes hardest to inspect.

Conclusion

SprySOCKS is a useful warning sign for modern defenders. Cross-platform malware does not need to reinvent its whole design to become more dangerous; sometimes it only needs a new loader and a deeper hiding place. In Windows, that hiding place can be the kernel itself, which is exactly why visibility below user mode is no longer optional.

TECHCROOK

USB flash drive: A dedicated drive is handy for offline rescue media, driver inventories, and clean diagnostics. Keeping one reserved for recovery work can make it easier to compare system state when ordinary tools may be misleading.

Scheda Techcrook: USB flash drive

WIKICROOK

  • Backdoor: Malware that provides remote access to a compromised system while bypassing normal authentication.
  • Kernel-mode driver: A Windows component that runs with high privilege and can influence how the operating system sees processes and devices.
  • Command and control (C2): The channel attackers use to send instructions to malware and receive data back.
  • Secure Boot: A startup protection that helps ensure only trusted software loads during the boot process.
  • Rootkit: Stealth software designed to conceal malicious activity by operating at a low level in the system.
SIGNALMONK
AuthorSIGNALMONK

Malware & Botnets