SprySOCKS WIN_DRV variant loads RawWNPF kernel driver for TCP diversion and process hiding

The WIN_DRV sample drops DriverLoader and RawWNPF.sys to conceal network sockets, processes, and registry entries while enabling traffic redirection through arbitrary TCP ports. Execution begins with a scheduled task that side-loads a DLL, then injects the backdoor. WIN_PLUS instead abuses spoolsv.exe and svchost.exe for the same payload. Both retain the 30-plus command set first seen in the Linux version documented by Trend Micro in 2023. Technical artifacts tie the samples to Trochilus and RedLeaves codebases previously used by Webworm and Winnti clusters. Procurement records and i-Soon contractor leaks show sustained funding for kernel-level tools since 2021, contradicting claims of isolated campaigns. FishMonger operations against Taiwan and European targets in 2022 used the same initial-access vectors now paired with driver stealth. Mainstream reporting frames each SprySOCKS update as incremental. Contract awards and job postings from Chinese firms indicate a deliberate shift toward NDIS and Print Spooler abuse to survive endpoint detection. No independent packet captures confirm the claimed Earth Lusca attribution beyond shared infrastructure. Next detection surface will be additional signed drivers submitted through test-signing channels or abused print processors in enterprise environments. Monitoring for RawWNPF.sys hashes on VirusTotal and Windows driver block lists should precede broader deployment.