Windows backdoor

Winsage
June 17, 2026
The Windows variant of SprySOCKS malware, developed by the Chinese threat group Earth Lusca, targets government entities globally and features advanced capabilities such as rootkit-level stealth and extensive command-and-control (C2) functionalities. It operates on Windows systems, utilizing two main variants: WINDRV, which includes kernel drivers for stealth operations, and WINPLUS, a streamlined backdoor. The malware can communicate over TCP, UDP, and WebSocket, offering over 30 C2 commands for various operations, including system information gathering and keystroke logging. WINDRV loads a driver named ‘RawWNPF’ into memory using another signed kernel driver, allowing it to conceal processes and achieve persistence. The malware's design incorporates open-source elements and exploits vulnerabilities in the software supply chain, notably using a leaked certificate for driver signing. To combat SprySOCKS, organizations are advised to implement advanced endpoint detection and response (EDR) solutions, maintain regular patching, and manage supply chain risks vigilantly. The malware's adaptability and reliance on legitimate certificates complicate detection efforts, necessitating continuous refinement of security practices.
BetaBeacon
May 6, 2026
- ScarCruft, also known as APT37 or Reaper, is a North Korean espionage group targeting government, military organizations, and companies in Asia. - BirdCall is a Windows backdoor attributed to ScarCruft, with spying capabilities such as taking screenshots and logging keystrokes. - The Android version of BirdCall collects contacts, SMS messages, call logs, and media files, and was actively developed over several months. - The BirdCall backdoor was discovered in a trojanized card game on a gaming platform tailored for ethnic Koreans living in Yanbian, China. - The attack was likely aimed at collecting information on individuals from the Yanbian region deemed of interest to the North Korean regime, such as refugees or defectors.
Winsage
June 19, 2024
Legitimate websites hacked to distribute BadSpace backdoor on Windows machines. Malicious code inserted into compromised websites triggers fake Google Chrome update pop-up window delivering BadSpace backdoor or its loader. BadSpace capabilities include system data collection, screenshot capturing, anti-sandbox checks, command execution, persistence through scheduled tasks, file manipulation, and scheduled task removal. Connection found between campaign's domains and SocGholish downloader malware. Other attack campaigns using compromised websites to host fake browser updates to disseminate remote access trojans and information-stealing malware also reported.
Winsage
June 17, 2024
Legitimate websites compromised to distribute Windows backdoor known as BadSpace through fake browser updates. Threat actors using multi-stage attack chain involving infected websites, command-and-control servers, fake browser updates, and JScript downloader. Malware details shared by researchers kevross33 and Gi7w0rm. BadSpace includes anti-sandbox measures and establishes persistence using scheduled tasks. Other campaigns using fake browser updates on compromised sites to distribute information stealers and remote access trojans.
Search