ESET researchers have uncovered two previously undocumented Windows variants of SprySOCKS, a backdoor previously known only as a Linux threat and linked to the China-aligned cyberespionage group FishMonger.
The newly discovered malware variants significantly expand the group's capabilities by introducing Windows-native persistence mechanisms and, in one version, a kernel-level rootkit designed to conceal malicious activity from security tools.
According to ESET, the Windows malware was initially discovered in files uploaded to VirusTotal, but telemetry data revealed real-world activity between 2023 and 2024. The attacks primarily targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan. Researchers attributed the malware to FishMonger with high confidence based on code similarities, operational characteristics, and infrastructure overlaps.
FishMonger, also tracked as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10, is believed to operate from Chengdu, China, under the broader Winnti Group umbrella. The threat actor has previously been linked to cyberespionage campaigns against universities in Hong Kong and is known for deploying tools such as ShadowPad, Spyder, FunnySwitch, BIOPASS RAT, and Cobalt Strike.
The newly discovered SprySOCKS malware for Windows comes in two variants named WIN_DRV and WIN_PLUS. Both support communications over TCP, UDP, and WebSocket protocols and implement more than 30 command-and-control (C2) commands for system reconnaissance, process management, service control, file operations, and remote command execution.
The most sophisticated version, WIN_DRV, incorporates a kernel driver called RawWNPF that functions as a rootkit. The driver can hide active network connections, running processes, malware files, and registry keys from administrators and security products. It also enables a stealthy passive backdoor mechanism that redirects specially crafted network traffic from any open TCP port to the malware's hidden listening port, allowing operators to communicate with the implant without exposing its actual network endpoint.
ESET found that attackers use several techniques to establish persistence and evade detection. In the WIN_DRV chain, the malware relies on DLL side-loading through legitimate signed software, scheduled tasks running with SYSTEM privileges, encrypted payload containers, process doppelgänging, and custom kernel drivers. The rootkit protects files stored in the Windows Fonts directory and hides registry keys associated with persistence mechanisms.
The second variant, WIN_PLUS, lacks the kernel driver but still employs sophisticated loading mechanisms. Researchers observed it using a malicious print processor named VSPMsg.dll for persistence. The malware stores encrypted payloads in the Windows print spooler directories and injects the final backdoor into svchost.exe processes using process doppelgänging techniques.
Both variants include optional surveillance features. If enabled through a configuration file, the malware can log keystrokes, collect clipboard contents, and record active window titles. The collected data is stored in encrypted files before being transmitted to operators.
One of the more concerning findings is ESET's observation of limited evidence suggesting that some SprySOCKS intrusions may have involved a UEFI bootkit component, potentially exploiting CVE-2023-24932. While the researchers were unable to fully confirm bootkit deployment, they noted that the possibility warrants close monitoring given FishMonger's continued investment in stealth and persistence technologies.
Leave a Reply