SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sprysocks (Back to overview)

SprySOCKS

Actor(s): Earth Lusca


According to ESET, SprySOCKS is a backdoor originally developed for Linux and later ported to Windows, implemented as DLLs whose code is based on the open-source Trochilus RAT and written in a C/C++ style using third‑party networking and crypto libraries. The malware supports TCP, UDP, and WebSocket C2 channels and more than 30 commands for system information collection, process and service control, file management, keylogging, and SOCKS proxying. The WIN_DRV Windows variant additionally uses a custom kernel driver to hide processes, files, registry entries, and network connections and to stealthily divert selected TCP traffic to the backdoor. On Windows, SprySOCKS relies on techniques such as encrypted on-disk containers, process injection, abuse of system services and print processors for persistence, and in some cases may be combined with a UEFI bootkit for deeper stealth.

References
2026-06-16ESET ResearchESET Research
FishMonger’s arsenal upgraded: SprySOCKS for Windows
SprySOCKS

There is no Yara-Signature yet.