If EDR is so great, why are these attacks still happening?
That question keeps becoming harder for security leaders to ignore.
A newly reported cyber espionage campaign involving the SprySOCKS backdoor is another reminder that modern attackers are no longer trying to smash through the front door. They are quietly embedding themselves into systems, hiding from visibility tools, and staying operational long enough to accomplish their goals.
For business leaders, this story is not about a nation-state attack happening somewhere else.
It is about understanding where security strategies are succeeding, where they are struggling, and what organizations should do before the same techniques become mainstream.
So what exactly happened?
According to reporting from The Hacker News and research published by ESET, security researchers discovered two previously undocumented Windows variants of the SprySOCKS backdoor, a malware family previously associated with Linux environments and linked to the China-aligned FishMonger threat group.
ESET Research:
https://www.eset.com/us/about/newsroom/research/eset-research-fishmonger-targets-governments-in-asia-latin-america/
Researchers identified variants known as WIN_DRV and WIN_PLUS.
What makes this development notable is not simply that the malware moved from Linux to Windows.
It is how it operates.
One variant reportedly uses a kernel-level driver to conceal files, processes, registry activity, and network connections from common security visibility tools. Researchers also observed features enabling command execution, file movement, persistence mechanisms, firewall modification, and covert communications across multiple protocols.
Telemetry showed activity targeting government organizations across multiple regions between 2023 and 2024.
This reflects a broader trend. Attackers are investing more effort into staying invisible after initial access rather than relying solely on destructive malware.
Why does this matter to businesses that are not government targets?
Because advanced attack techniques rarely stay limited to one sector.
Enterprise attacks often follow the same pattern:
Initial access.
Credential abuse.
Persistence.
Privilege escalation.
Lateral movement.
Data theft or disruption.
The techniques evolve faster than defenses.
The 2025 Verizon Data Breach Investigations Report found that credential abuse accounted for 22% of confirmed breaches globally while vulnerability exploitation increased by 34% year over year.
Verizon DBIR:
https://www.verizon.com/about/news/2025-data-breach-investigations-report
That means attackers increasingly gain access through legitimate pathways instead of obviously malicious behavior.
And once they establish access, stealth becomes the priority.
Could this happen even if we already have EDR?
That is becoming one of the most important questions organizations should ask.
Endpoint Detection and Response remains valuable.
But detection assumes something suspicious becomes visible.
Threats like SprySOCKS illustrate what happens when attackers focus specifically on reducing visibility.
Security tool tampering.
Kernel-level concealment.
Living off legitimate system functions.
Credential abuse.
Delayed alerting.
These techniques challenge the traditional Detect and Respond model.
The issue is not that detection is ineffective.
The issue is that attackers increasingly operate inside acceptable-looking behavior.
By the time alerts surface, attackers may already have moved laterally, collected information, or established persistence.
Why are traditional defenses struggling?
Traditional approaches were designed around identifying known bad activity.
Modern attacks increasingly avoid appearing malicious.
Attackers use legitimate tools.
They blend into normal administration.
They bypass controls rather than triggering them.
The financial consequences are substantial.
IBM's Cost of a Data Breach Report 2025 found the global average breach cost reached $4.4 million.
IBM Report:
https://www.ibm.com/reports/data-breach
Those costs extend far beyond ransom payments.
Organizations face:
• Financial losses from recovery and remediation
• Operational downtime and service interruption
• Lost employee productivity
• Regulatory and legal exposure
• Customer trust and reputation damage
• Long-term business disruption
For leadership teams, the question becomes less about whether detection works and more about how much damage occurs before detection succeeds.
What is changing in endpoint security?
Many organizations are now expanding beyond Detect and Respond into a prevention-first model built around Isolation and Containment.
The goal changes from:
Find malicious behavior after execution.
To:
Prevent unauthorized execution before damage begins.
Isolation and Containment focuses on:
• Prevention before execution
• Restricting unauthorized applications
• Limiting attacker movement
• Reducing blast radius
• Preventing encryption and persistence before they start
This approach recognizes a practical reality.
Security teams cannot guarantee perfect detection.
But they can reduce what attackers are allowed to execute and contain what can spread.
One example of this philosophy is AppGuard, a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.
Rather than depending primarily on identifying malicious indicators after compromise, prevention-first approaches seek to reduce execution opportunities from the beginning.
What Should Businesses Do Next?
Business leaders do not need to become malware analysts.
But they should challenge assumptions.
Ask your teams:
• What happens if detection fails?
• Which applications are allowed to execute today?
• Can attackers move laterally between systems?
• Have failure scenarios been tested recently?
• Are third-party connections reviewed regularly?
• Are critical systems segmented?
• Does the incident response plan assume delayed detection?
• Are prevention controls operating before execution occurs?
Organizations that build resilience assume compromise attempts will happen and design controls that reduce impact.
That shift in mindset is becoming increasingly important as stealth techniques become more sophisticated.
The SprySOCKS findings are not simply another threat headline.
They are another signal that attackers are adapting faster, hiding deeper, and relying less on noisy tactics.
Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!
