FishMonger upgrades SprySOCKS backdoor with Windows variants
ESET Research has disclosed two previously undocumented Windows variants of SprySOCKS, a backdoor linked to FishMonger, a China-aligned cyberespionage group believed to be operated by contractor I-SOON. The new variants, designated WIN_DRV and WIN_PLUS, extend what had until now been a Linux-only tool into Windows environments and introduce kernel-level stealth capabilities that make detection substantially harder.
ESET's telemetry places active deployment of the malware between 2023 and 2024, with confirmed victims predominantly in government organisations across Honduras, Taiwan, Thailand, and Pakistan. The samples were first identified on VirusTotal in April 2024, but real-world intrusions predate that upload.
Technical capabilities
Both Windows variants communicate over TCP, UDP, and WebSocket protocols and support more than 30 command-and-control (C&C) commands covering system reconnaissance, process enumeration, service management, and file operations including listing, creation, deletion, and exfiltration.
The WIN_DRV variant is the more sophisticated of the two. It weaponises a kernel driver to conceal the malware's network connections, running processes, files, and registry keys from standard inspection tools. Traffic diversion is handled at the kernel level: the driver monitors all incoming TCP packets and redirects those containing a specially crafted trigger to the backdoor's hidden listening port, meaning the real port never appears in network traffic. This passive interception pattern is a meaningful operational security upgrade over typical user-space backdoors, which tend to expose listening sockets in netstat output or endpoint detection and response telemetry.
Martin Smolár, the ESET researcher who discovered and analysed the samples, noted that the Windows builds retain the core C&C protocol, encryption scheme, and command-handling logic of the original Linux version, substituting Windows-native system calls only where the architecture required it. He also flagged limited indications that some SprySOCKS attack scenarios may involve a UEFI bootkit component, potentially exploiting CVE-2023-24932, a Secure Boot bypass vulnerability patched by Microsoft in May 2023. ESET stopped short of confirming bootkit deployment but advised defenders to monitor the group's activity closely.
Threat landscape and attribution context
FishMonger sits within the Winnti Group cluster, one of the most prolific and technically capable China-nexus threat actor families tracked by Western researchers. The group operates under several aliases, including Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10. ESET first publicly reported on FishMonger in 2020 in the context of attacks on Hong Kong universities during the 2019 civic protests.
I-SOON, the contractor believed to operate FishMonger, drew significant public attention in early 2024 when a large cache of internal documents was leaked on GitHub, offering rare visibility into the commercial structure of China's contractor-driven hacking ecosystem. The leak corroborated earlier attribution work by multiple threat intelligence firms and linked I-SOON to a range of government and critical-infrastructure targeting campaigns across Asia.
The expansion of SprySOCKS to Windows is consistent with a broader trend among China-aligned groups: building cross-platform toolkits that allow operators to move laterally regardless of the target's operating environment. FishMonger's existing arsenal, which includes ShadowPad, Cobalt Strike, Spyder, FunnySwitch, and the BIOPASS remote access trojan, already reflects a mature, modular approach to long-term access operations.
For defenders, the kernel-driver stealth technique warrants attention. Endpoint detection and response platforms that rely primarily on user-space telemetry may miss WIN_DRV activity; kernel-level visibility and driver signing anomaly detection are the most reliable mitigations. ESET has published a detailed technical write-up on WeLiveSecurity.com, including indicators of compromise.