Signal

China-linked SprySOCKS backdoor expands to Windows with new stealthy variants

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-06-16 09:26 UTCUpdated 2026-06-16 22:32 UTC

rss

malwarethreat_actorssecurity_toolingincident_response

Trend in the last 24h

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (4)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

SprySOCKS backdoor expands to Windows with new variants

SC Media · News · scworld.com · 2026-06-16 22:32 UTC

SprySOCKS Backdoor Expands From Linux to Windows

Infosecurity Magazine · News · infosecurity-magazine.com · 2026-06-16 14:30 UTC

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

thehackernews · News · thehackernews.com · 2026-06-16 09:44 UTC

Chinese Hacking Firm Upgrades With New Windows Backdoor

BankInfoSecurity · News · bankinfosecurity.com · 2026-06-16 09:26 UTC

View all evidence

Overview

Security researchers have identified two previously undocumented Windows variants of the China-linked SprySOCKS backdoor, previously believed to target only Linux systems.

Entities

SprySOCKS

Score total

1.35

Momentum 24h

4

Posts

4

Origins

4

Source types

1

Duplicate ratio

0%

Why now

The Windows variants have been active since 2023 but were only recently uncovered, indicating ongoing stealthy operations.
New variants demonstrate evolving tactics by threat actors to maintain persistence and evade detection.
Heightened awareness is critical for defenders protecting government and critical infrastructure networks.

Why it matters

The expansion to Windows broadens the attack surface for espionage campaigns linked to Chinese threat actors.
Rootkit-based stealth techniques increase the difficulty of detecting and mitigating the backdoor on infected systems.
Continued targeting of government organizations highlights persistent geopolitical cyber risks.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

SprySOCKS backdoor has expanded from Linux to Windows with two new variants, WIN_DRV and WIN_PLUS.
The Windows variants retain encrypted command-and-control protocols and add rootkit-based stealth capabilities.
SprySOCKS is linked to Chinese threat groups FishMonger and iSoon and targets government organizations in Asia and Central America.

How sources frame it

BankInfoSecurity: neutral

This briefing consolidates recent findings on SprySOCKS Windows variants, emphasizing their stealth and expanded targeting.

All evidence

All evidence

SprySOCKS backdoor expands to Windows with new variants

SC Media · scworld.com · 2026-06-16 22:32 UTC

SprySOCKS Backdoor Expands From Linux to Windows

Infosecurity Magazine · infosecurity-magazine.com · 2026-06-16 14:30 UTC

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

thehackernews · thehackernews.com · 2026-06-16 09:44 UTC

Chinese Hacking Firm Upgrades With New Windows Backdoor

BankInfoSecurity · bankinfosecurity.com · 2026-06-16 09:26 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 4 / 0

Top publishers (this list)

SC Media (1)
Infosecurity Magazine (1)
thehackernews (1)
BankInfoSecurity (1)

Top origin domains (this list)

scworld.com (1)
infosecurity-magazine.com (1)
thehackernews.com (1)
bankinfosecurity.com (1)