China-linked FishMonger used two SprySOCKS Windows variants that leveraged kernel drivers and the Print Spooler to target governments in four countries.
ESET researchers have found two previously undocumented Windows versions of SprySOCKS, a backdoor that the security community had until now treated as Linux-only. Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca, a China-linked actor also tracked as Aquatic Panda, Charcoal Typhoon, and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon. ESET researchers track the same cluster as FishMonger and place it under the broader Winnti umbrella.
“ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger” reads the report published by ESET. “The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS. Both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols.”
The two variants are part of SprySOCKS version 1.8 and share the core architecture of the Linux original variant: the same command-and-control protocol, the same encryption, the same overall command handling logic. However, these samples use a different delivery mechanism and are more stealthy.
WIN_DRV is the more technically interesting of the two. It uses a kernel driver named RawWNPF, stored on disk as KW1B5206BDC1743FP.dat, to hide the malware’s network connections, running processes, files, and registry keys from any tool operating at the user level. A second encrypted kernel driver called DriverLoader handles loading RawWNPF. The attack chain starts with an undetermined initial access method that drops a batch script, which creates a scheduled task, which triggers a DLL side-loading sequence that installs the backdoor and its driver components. It’s a lot of steps, but each one is there for a reason.
WIN_DRV also implements TCP traffic diversion. The backdoor receives commands through a random TCP port on the victim’s device, with nothing in the network traffic revealing which port is actually listening. That makes detection through network monitoring considerably harder.
“The WIN_DRV variant creates a stealthy passive TCP backdoor, relying on a kernel driver to redirect traffic to the backdoor’s hidden TCP port whenever specially crafted data is detected inside a received TCP packet.” continues the report.
WIN_PLUS takes a different approach to staying hidden. It uses the Windows Print Spooler service, spoolsv.exe, as its starting point. A first-stage loader runs as a print processor, then injects a SprySOCKS loader into a newly created svchost.exe process to launch the backdoor. Both processes are ones that appear in normal Windows environments constantly, which makes the activity blend into background noise. WIN_PLUS was first detected in July 2024 on a device in Pakistan.
Both variants support the same command set: collecting system information, launching an interactive shell, enumerating running processes, listing services, initializing a SOCKS proxy, uploading and downloading files, and executing files already on the system. Evidence suggests the artifacts were deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan. FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
There’s also a detail at the edge of the report that deserves attention. ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932, the Windows Boot Manager vulnerability associated with BlackLotus. Microsoft patched it in May 2023. Whether this is confirmed or circumstantial remains unclear, but a UEFI-level component would mean persistence that survives OS reinstalls.
SprySOCKS is derived from a Windows remote access tool called Trochilus, which also underpins RedLeaves, another backdoor with significant source code overlap. A third group, Webworm, shares tradecraft with both FishMonger and SixLittleMonkeys, and also uses Trochilus. When multiple Chinese state-linked groups draw from the same codebase, attribution gets complicated fast.
“The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger’s cross-platform capabilities.” concludes the report. “Our analysis shows that the Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game. “
For defenders, the practical consequence is straightforward: detection rules and threat intelligence built around SprySOCKS as a Linux-only threat now need to cover Windows endpoints as well, including kernel-level driver activity and Print Spooler abuse as potential indicators.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FishMonger)
