INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

China-Linked Ports Exploit Windows with Kernel-Level Stealth

| 2026-06-17 08:10 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat actor behind the SprySOCKS malware has been linked to China-linked actors, with evidence suggesting they have targeted governments in multiple countries. The malware is a sophisticated backdoor that leverages kernel-level stealth and UEFI bootkit hints to compromise Windows systems. Its variants are internally marked as WIN_DRV and WIN_PLUS, sharing core architecture with the Linux original variant. A first-stage loader injects a SprySOCKS loader into newly created svchost.exe processes, launching the malware. Limited indications suggest the possible use of a UEFI bootkit exploiting CVE-2023-24932, potentially exploited by BlackLotus.
Technical Mitigations AI-generated
* Kernel-Level Stealth: The SprySOCKS variants use kernel drivers to hide malware's network connections, running processes, files, and registry keys from any tool operating at the user level. This makes it difficult for security software to detect the backdoor. * UEFI Bootkit Hints: ESET researchers found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932 (Windows Boot Manager vulnerability associated with BlackLotus), which Microsoft patched in May 2023. This indicates that the attackers may have been using this vulnerability to exploit their backdoors. * TCP Traffic Diverting: The WIN_DRV variant uses TCP traffic diversion to hide its activity, making it harder to detect through network monitoring. The backdoor receives commands through a random TCP port on the victim's device and sends them to the hidden TCP port, where they are processed by kernel drivers. * Print Spooler Service as Starting Point: Both variants use the Windows Print Spooler service (spoolsv.exe) as their starting point, which makes it harder for security software to detect the backdoor. A first-stage loader runs as a print processor and injects a SprySOCKS loader into a newly created svchost.exe process. * Background Noise: Both variants appear in normal Windows environments constantly, making them blend into background noise. This can make it difficult to detect their presence or activity.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation FishMedleyOperation FishMedley Aquatic PandaAquatic PandaEarth LuscaEarth Lusca RedLeavesRedLeaves CVE-2023-24932CVE-2023-24932
Target & Sectors
NORTH_AMERICA NORTH_AMERICA governmentgovernment telecommunicationstelecommunications technologytechnology
Incident Timeline
‎May 2023
The incident involved the exploitation of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, by Chinese state-linked groups.
organisation Microsoft
Microsoft patched it in May 2023.
The security flaw was addressed by Microsoft in May 2023.
infrastructure Windows
SprySOCKS is derived from a Windows remote access tool called Trochilus, which also underpins RedLeaves, another backdoor with significant source code overlap.
“The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger’s cross-platform capabilities.” concludes the report.
“Our analysis shows that the Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game.
“ For defenders, the practical consequence is straightforward: detection rules and threat intelligence built around SprySOCKS as a Linux-only threat now need to cover Windows endpoints as well, including kernel-level driver activity and Print Spooler abuse as potential indicators.
infrastructure Linux
“The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger’s cross-platform capabilities.” concludes the report.
“Our analysis shows that the Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game.
“ For defenders, the practical consequence is straightforward: detection rules and threat intelligence built around SprySOCKS as a Linux-only threat now need to cover Windows endpoints as well, including kernel-level driver activity and Print Spooler abuse as potential indicators.
organisation FishMonger’s
“The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger’s cross-platform capabilities.” concludes the report.
organisation Webworm
A third group, Webworm, shares tradecraft with both FishMonger and SixLittleMonkeys, and also uses Trochilus.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, FishMonger)
‎September 2023
The incident involved China-linked FishMonger ports using the Windows Print Spooler service as their starting point, with Trend Micro first documenting a Linux variant in September 2023 attributed to Earth Lusca.
source_region China
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
infrastructure Linux
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
“ESET researchers have discovered two as-yet undocumented Windows variants of  SprySOCKS , a previously Linux-only backdoor  reportedly  used by FishMonger” reads the report published by ESET.
The two variants are part of SprySOCKS version 1.8 and share the core architecture of the Linux original variant: the same command-and-control protocol, the same encryption, the same overall command handling logic.
organisation Trend Micro
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
threat_actor Earth Lusca
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
threat_actor Aquatic Panda
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
organisation Charcoal Typhoon
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
organisation RedHotel
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
attribution Bronze University
SprySOCKS was first publicly documented by Trend Micro in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as Earth Lusca, which is also tracked by the cybersecurity community under the monikers Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel.
infrastructure Windows
“ESET researchers have discovered two as-yet undocumented Windows variants of  SprySOCKS , a previously Linux-only backdoor  reportedly  used by FishMonger” reads the report published by ESET.
“The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS.
It uses the Windows Print Spooler service, spoolsv.exe , as its starting point.
Both processes are ones that appear in normal Windows environments constantly, which makes the activity blend into background noise.
organisation the Windows Print Spooler
It uses the Windows Print Spooler service, spoolsv.exe , as its starting point.
infrastructure 1.8
The two variants are part of SprySOCKS version 1.8 and share the core architecture of the Linux original variant: the same command-and-control protocol, the same encryption, the same overall command handling logic.
organisation C&C
Both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols.”
organisation TCP
Both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols.”
organisation WebSocket
Both come with a hardcoded C&C configuration and support communication over TCP, UDP, and WebSocket protocols.”
organisation RawWNPF
It uses a kernel driver named RawWNPF, stored on disk as KW1B5206BDC1743FP.dat , to hide the malware’s network connections, running processes, files, and registry keys from any tool operating at the user level.
organisation DLL
The attack chain starts with an undetermined initial access method that drops a batch script, which creates a scheduled task, which triggers a DLL side-loading sequence that installs the backdoor and its driver components.
‎July 2024
Threat actors used a China-linked fishmonger port to infect a victim device with the WIN_PLUS malware, which exploited kernel-level stealth and UEFI bootkit vulnerabilities.
target_region Pakistan
WIN_PLUS was first detected in July 2024 on a device in Pakistan.
The WIN_PLUS version was first detected in July 2024 on a victim device geolocated to Pakistan.
‎March 2025
Threat actors linked China's FishMonger ports to a global campaign targeting Taiwan, Hungary, Turkey, Thailand, France, and the US with kernel-level stealth and UEFI bootkit hints.
target_region Taiwan, Province of China
FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region Thailand
FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region Hungary
FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region France
FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region United States
FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
organisation Operation FishMedley
FishMonger’s previous targets include organizations in Taiwan, Hungary, Turkey, Thailand, France, and the US, documented in ESET’s March 2025 report on Operation FishMedley.
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
infrastructure Windows
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932 , the Windows Boot Manager vulnerability associated with BlackLotus.
organisation CVE-2023-24932
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932 , the Windows Boot Manager vulnerability associated with BlackLotus.
organisation UEFI
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932 , the Windows Boot Manager vulnerability associated with BlackLotus.
organisation BlackLotus
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932 , the Windows Boot Manager vulnerability associated with BlackLotus.
‎between 2023 and 2024
Windows variants of the China-linked fishmonger malware family were used to target government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024.
target_region Pakistan
Evidence suggests the artifacts were deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
target_region Honduras
Evidence suggests the artifacts were deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
target_region Taiwan, Province of China
Evidence suggests the artifacts were deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
target_region Thailand
Evidence suggests the artifacts were deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
industry Government
Evidence suggests the artifacts were deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan.
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
infrastructure Windows
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
attribution ESET
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
‎between January and October 2022
Threat actors linked to China used ports in Chinese-Linked FishMonger Ports to infect Windows with kernel-level Stealth and UEFI Bootkit.
target_region Taiwan, Province of China
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region Thailand
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region Hungary
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
target_region France
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
campaign Operation FishMedley
In a report published in March 2025, the company linked the hacking group to a global campaign dubbed Operation FishMedley targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
‎2026/06/17
China-linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints.
infrastructure Windows
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints.
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints China-linked FishMonger used two SprySOCKS Windows variants that leveraged kernel drivers and the Print Spooler to target governments in four countries.
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth.
ESET researchers have found two previously undocumented Windows versions of SprySOCKS , a backdoor that the security community had until now treated as Linux-only.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS .
"The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News.
" Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
SprySOCKS is based on a Windows remote access trojan called Trochilus, and shares several common traits with RedLeaves , a backdoor that also exhibits extensive source code overlaps with Trochilus.
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
"The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," ESET researcher Martin Smolár said.
It leverages the Windows Print Spooler service ("spoolsv.exe") as a starting point to execute a first-stage loader that runs as a print processor .
What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932 (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the BlackLotus UEFI bootkit.
"The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger's cross-platform capabilities," ESET said.
"The Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game."
Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
Windows version of SprySOCKS Linux malware used to attack govt orgs.
Unlike the previously documented Linux version, the Windows variant adds kernel-level stealth capabilities allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS, a more barebones backdoor.
The driver enables the malware to hide processes via Windows API manipulation, hide network connections, hide files from directory listings, and hide malicious Registry key entries it uses for persistence.
Persistence is achieved via scheduled tasks and Image File Execution Options (IFEO) via vds.exe for WIN_DRV, and registering the payload as a Windows Print Processor (VSPMsg) for WIN_PLUS.
ESETS report provides a detailed technical analysis and indicators of compromise that could help organizations identify and protect against attacks using Windows versions of the SprySOCKS backdoor.
organisation Windows With Kernel-Level Stealth
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints.
organisation FishMonger
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints China-linked FishMonger used two SprySOCKS Windows variants that leveraged kernel drivers and the Print Spooler to target governments in four countries.
The Slovakian cybersecurity vendor, which has assigned the name FishMonger to the threat cluster, has described it as a cyber espionage group that falls under the broader Winnti umbrella.
organisation Driver-Based Stealth
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth.
organisation Webworm
What's more, the use of Trochilus is linked to another Chinese threat actor known as Webworm , which, in turn, has tradecraft commonalities with both FishMonger and SixLittleMonkeys.
threat_actor Earth Lusca
SprySOCKS has been  linked to the Chinese threat group ‘Earth Lusca,’ which deployed it in attacks against government entities focused on foreign affairs, technology, and telecommunications.
ESET attributes the activity with high confidence to the Earth Lusca threat actor, which they track as ‘FishMonger’ (also ‘Aquatic Panda,’ ‘Red Dev 10,’ and TAG-22).
Although these variants are not new, their diacovery indicates that Earth Lusca has expanded its arsenal to target a more riverse variety of systems.
infrastructure Linux
ESET researchers have found two previously undocumented Windows versions of SprySOCKS , a backdoor that the security community had until now treated as Linux-only.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS .
" Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
"The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," ESET researcher Martin Smolár said.
"The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger's cross-platform capabilities," ESET said.
"The Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game."
Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
Windows version of SprySOCKS Linux malware used to attack govt orgs.
Unlike the previously documented Linux version, the Windows variant adds kernel-level stealth capabilities allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS, a more barebones backdoor.
organisation ESET
ESET researchers have found two previously undocumented Windows versions of SprySOCKS , a backdoor that the security community had until now treated as Linux-only.
"The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," ESET researcher Martin Smolár said.
ESET attributes the activity with high confidence to the Earth Lusca threat actor, which they track as ‘FishMonger’ (also ‘Aquatic Panda,’ ‘Red Dev 10,’ and TAG-22).
organisation The Hacker News
"The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News.
infrastructure 1.8
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
organisation RawWNPF
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
organisation Execution Chain The Windows
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
organisation the Windows Print Spooler
It leverages the Windows Print Spooler service ("spoolsv.exe") as a starting point to execute a first-stage loader that runs as a print processor .
organisation CVE-2023-24932
What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932 (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the BlackLotus UEFI bootkit.
The WIN_DRV execution flow Source: ESET ESET telemetry data also showed indications of a UEFI bootkit component that might exploit CVE-2023-24932, a Secure Boot flaw previously used as a zero-day  by the BlackLotus UEFI malware.
organisation UEFI
What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932 (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the BlackLotus UEFI bootkit.
The WIN_DRV execution flow Source: ESET ESET telemetry data also showed indications of a UEFI bootkit component that might exploit CVE-2023-24932, a Secure Boot flaw previously used as a zero-day  by the BlackLotus UEFI malware.
organisation BlackLotus UEFI
What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932 (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the BlackLotus UEFI bootkit.
organisation Registry
The driver enables the malware to hide processes via Windows API manipulation, hide network connections, hide files from directory listings, and hide malicious Registry key entries it uses for persistence.
organisation Image File Execution Options
Persistence is achieved via scheduled tasks and Image File Execution Options (IFEO) via vds.exe for WIN_DRV, and registering the payload as a Windows Print Processor (VSPMsg) for WIN_PLUS.
organisation Windows Print Processor
Persistence is achieved via scheduled tasks and Image File Execution Options (IFEO) via vds.exe for WIN_DRV, and registering the payload as a Windows Print Processor (VSPMsg) for WIN_PLUS.
organisation ESETS
ESETS report provides a detailed technical analysis and indicators of compromise that could help organizations identify and protect against attacks using Windows versions of the SprySOCKS backdoor.
threat_actor Aquatic Panda
ESET attributes the activity with high confidence to the Earth Lusca threat actor, which they track as ‘FishMonger’ (also ‘Aquatic Panda,’ ‘Red Dev 10,’ and TAG-22).
organisation BlackLotus
The WIN_DRV execution flow Source: ESET ESET telemetry data also showed indications of a UEFI bootkit component that might exploit CVE-2023-24932, a Secure Boot flaw previously used as a zero-day  by the BlackLotus UEFI malware.
organisation C&C
"Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols.
organisation TCP
"Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols.
Both variants offer the following capabilities: Communicate over TCP, UDP, and WebSocket Support more than 30 command-and-control (C2) commands Collect system information Enumerate and manage processes and services List, create, delete, upload, download, copy, rename, and execute files Support SOCKS proxy functionality Can operate as both a client and a server Log keystrokes, clipboard content, and active window titles The WIN_PLUS variant execution flow Source: ESET The WIN_DRV variant includes the additional functionality of loading a driver named ‘RawWNPF’ directly into memory.
organisation WebSocket
"Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols.
Both variants offer the following capabilities: Communicate over TCP, UDP, and WebSocket Support more than 30 command-and-control (C2) commands Collect system information Enumerate and manage processes and services List, create, delete, upload, download, copy, rename, and execute files Support SOCKS proxy functionality Can operate as both a client and a server Log keystrokes, clipboard content, and active window titles The WIN_PLUS variant execution flow Source: ESET The WIN_DRV variant includes the additional functionality of loading a driver named ‘RawWNPF’ directly into memory.
organisation Communicate
Both variants offer the following capabilities: Communicate over TCP, UDP, and WebSocket Support more than 30 command-and-control (C2) commands Collect system information Enumerate and manage processes and services List, create, delete, upload, download, copy, rename, and execute files Support SOCKS proxy functionality Can operate as both a client and a server Log keystrokes, clipboard content, and active window titles The WIN_PLUS variant execution flow Source: ESET The WIN_DRV variant includes the additional functionality of loading a driver named ‘RawWNPF’ directly into memory.
organisation Enumerate
Both variants offer the following capabilities: Communicate over TCP, UDP, and WebSocket Support more than 30 command-and-control (C2) commands Collect system information Enumerate and manage processes and services List, create, delete, upload, download, copy, rename, and execute files Support SOCKS proxy functionality Can operate as both a client and a server Log keystrokes, clipboard content, and active window titles The WIN_PLUS variant execution flow Source: ESET The WIN_DRV variant includes the additional functionality of loading a driver named ‘RawWNPF’ directly into memory.
organisation DLL
The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain that drops the SprySOCKS backdoor and the driver components.
organisation Fortinet
However, it's worth noting that the group has previously exploited N-day security flaws in public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra instances to obtain a foothold.
organisation GitLab
However, it's worth noting that the group has previously exploited N-day security flaws in public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra instances to obtain a foothold.
organisation Microsoft Exchange
However, it's worth noting that the group has previously exploited N-day security flaws in public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra instances to obtain a foothold.
organisation GitHub
The driver is loaded from another kernel driver named ‘DriverLoader’ (fsdiskbit.sys) signed using a leaked certificate from the GitHub PastDSE project.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints.
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints China-linked FishMonger used two SprySOCKS Windows variants that leveraged kernel drivers and the Print Spooler to target governments in four countries.
ESET researchers have found two previously undocumented Windows versions of SprySOCKS , a backdoor that the security community had until now treated as Linux-only.
“ESET researchers have discovered two as-yet undocumented Windows variants of  SprySOCKS , a previously Linux-only backdoor  reportedly  used by FishMonger” reads the report published by ESET.
“The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS.
It uses the Windows Print Spooler service, spoolsv.exe , as its starting point.
Both processes are ones that appear in normal Windows environments constantly, which makes the activity blend into background noise.
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932 , the Windows Boot Manager vulnerability associated with BlackLotus.
SprySOCKS is derived from a Windows remote access tool called Trochilus, which also underpins RedLeaves, another backdoor with significant source code overlap.
“The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger’s cross-platform capabilities.” concludes the report.
“Our analysis shows that the Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game.
“ For defenders, the practical consequence is straightforward: detection rules and threat intelligence built around SprySOCKS as a Linux-only threat now need to cover Windows endpoints as well, including kernel-level driver activity and Print Spooler abuse as potential indicators.
China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS .
"The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News.
" Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
SprySOCKS is based on a Windows remote access trojan called Trochilus, and shares several common traits with RedLeaves , a backdoor that also exhibits extensive source code overlaps with Trochilus.
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
"The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," ESET researcher Martin Smolár said.
It leverages the Windows Print Spooler service ("spoolsv.exe") as a starting point to execute a first-stage loader that runs as a print processor .
What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting CVE-2023-24932 (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the BlackLotus UEFI bootkit.
"The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger's cross-platform capabilities," ESET said.
"The Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game."
Now, ESET researchers discovered Windows variants of the same malware family that were used between 2023 and 2024 in attacks on government organizations in Taiwan, Thailand, Pakistan, and Honduras.
Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
Windows version of SprySOCKS Linux malware used to attack govt orgs.
Unlike the previously documented Linux version, the Windows variant adds kernel-level stealth capabilities allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS, a more barebones backdoor.
The driver enables the malware to hide processes via Windows API manipulation, hide network connections, hide files from directory listings, and hide malicious Registry key entries it uses for persistence.
Persistence is achieved via scheduled tasks and Image File Execution Options (IFEO) via vds.exe for WIN_DRV, and registering the payload as a Windows Print Processor (VSPMsg) for WIN_PLUS.
ESETS report provides a detailed technical analysis and indicators of compromise that could help organizations identify and protect against attacks using Windows versions of the SprySOCKS backdoor.
Metrics
infrastructure
‎Linux
Affected Product
Trend Micro first documented the Linux variant in September 2023 and attributed it to Earth Lusca , a China-linked actor also tracked as Aquatic Panda , Charcoal Typhoon , and RedHotel, which has been active since at least 2021 and operated by a Chinese contractor named i-Soon .
ESET researchers have found two previously undocumented Windows versions of SprySOCKS , a backdoor that the security community had until now treated as Linux-only.
“ESET researchers have discovered two as-yet undocumented Windows variants of  SprySOCKS , a previously Linux-only backdoor  reportedly  used by FishMonger” reads the report published by ESET.
The two variants are part of SprySOCKS version 1.8 and share the core architecture of the Linux original variant: the same command-and-control protocol, the same encryption, the same overall command handling logic.
“The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger’s cross-platform capabilities.” concludes the report.
“Our analysis shows that the Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game.
“ For defenders, the practical consequence is straightforward: detection rules and threat intelligence built around SprySOCKS as a Linux-only threat now need to cover Windows endpoints as well, including kernel-level driver activity and Print Spooler abuse as potential indicators.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS .
" Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
"The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," ESET researcher Martin Smolár said.
"The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger's cross-platform capabilities," ESET said.
"The Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game."
Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries.
Windows version of SprySOCKS Linux malware used to attack govt orgs.
Unlike the previously documented Linux version, the Windows variant adds kernel-level stealth capabilities allowing operators to hide malware artifacts and communicate with the backdoor through traffic redirected from arbitrary TCP ports The two variants are WIN_DRV, which features kernel drivers for rootkit-like capabilities, and WIN_PLUS, a more barebones backdoor.
Metrics
infrastructure
‎1.8
Software Version
The two variants are part of SprySOCKS version 1.8 and share the core architecture of the Linux original variant: the same command-and-control protocol, the same encryption, the same overall command handling logic.
Execution Chain The Windows variants are part of version 1.8 of SprySOCKS, with the WIN_DRV sample using a kernel driver referred to as RawWNPF ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant.
Intelligence Sources
Security Affairs 2026-06-17
The Hacker News 2026-06-16
BleepingComputer 2026-06-16