ESET researchers have discovered two previously undocumented Windows variants of the SprySOCKS backdoor, a malware family that was previously observed targeting only Linux systems. The malware is linked to FishMonger, a cyber espionage group believed to be operated by Chinese contractor I-SOON.
The variants, named WIN_DRV and WIN_PLUS, were initially found on VirusTotal. However, ESET telemetry confirmed real-world activity between 2023 and 2024, targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Both variants contain hard-coded command-and-control (C&C) server configurations and support communications over TCP, UDP, and WebSocket protocols. They include more than 30 commands that allow attackers to collect system information, enumerate processes, manage services, and perform file operations such as listing, creating, deleting, uploading, and downloading files.
The WIN_DRV version comes with advanced stealth capabilities that allow it to hide malware-related processes, files, registry keys, and network connections. It also supports TCP traffic diversion, enabling attackers to communicate with the malware through random TCP ports without revealing the actual listening port.
Researchers also found limited evidence suggesting some attacks may involve a UEFI bootkit component, potentially exploiting CVE-2023-24932, a Secure Boot bypass vulnerability previously used by the BlackLotus bootkit.
SprySOCKS was first publicly documented in September 2023 and attributed to the China-linked threat actor tracked as Earth Lusca. ESET tracks the group as FishMonger, which it describes as part of the wider Winnti cyber espionage ecosystem.
The Windows variants are based on SprySOCKS version 1.8 and retain the functionality of the Linux version. The WIN_DRV sample uses a kernel driver called RawWNPF for stealth operations, and an encrypted driver named DriverLoader is used to load it into memory.
According to ESET, the malware is deployed through a DLL side-loading chain triggered by a scheduled task. The WIN_PLUS variant uses the Windows Print Spooler service to launch a loader that injects the backdoor into a newly created svchost.exe process.
Researchers noted that FishMonger has previously exploited known vulnerabilities in Fortinet, GitLab, Microsoft Exchange, Progress Telerik UI, and Zimbra systems to gain initial access. The earliest known WIN_PLUS infection was detected on a victim system in Pakistan in July 2024.