FishMonger Expands SprySOCKS Backdoor From Linux to Windows

FishMonger, a China-aligned cyberespionage group, has expanded the SprySOCKS backdoor from Linux to Windows, giving the group a broader toolset for spying on government and public-sector targets.

ESET researchers discovered two previously undocumented Windows variants of SprySOCKS, tracked as WIN_DRV and WIN_PLUS. ESET telemetry shows activity between 2023 and 2024, with victims in Honduras, Taiwan, Thailand, and Pakistan, mostly government organizations.

The discovery matters because SprySOCKS was previously known as a Linux backdoor. Its move to Windows shows FishMonger has continued to invest in cross-platform espionage tools, stealthier persistence, and more flexible command-and-control options.

SprySOCKS Was First Seen as a Linux Backdoor

SprySOCKS first drew attention in 2023, when Trend Micro reported that Earth Lusca, another name used for FishMonger activity, was deploying a Linux backdoor against government entities.

Trend Micro said the Linux version appeared to be based on Trochilus, an open-source Windows remote access tool, but had been modified enough to become a distinct backdoor. The malware also included SOCKS proxy features, encrypted payload loading, and command-and-control behavior linked to espionage operations.

The new Windows variants keep several elements from the Linux version, including similar command structures, encryption logic, and communication design. They also add Windows-specific techniques that make detection and investigation harder.

Variant	Main feature	Defender concern
WIN_DRV	Uses kernel drivers for stealth	Can hide processes, files, registry keys, and network connections
WIN_PLUS	Uses print processor abuse and DLL loading	Can persist through legitimate Windows components
Linux SprySOCKS	Uses a loader and encrypted payload	Shows the backdoor’s earlier cross-influence from Trochilus

FishMonger Uses Windows Drivers for Stealth

The more advanced Windows variant, WIN_DRV, uses a kernel driver called RawWNPF. This driver hides the malware’s network connections, running processes, files, and registry keys from normal Windows monitoring tools.

The driver also supports TCP traffic diversion. This lets the attackers send commands through open TCP ports without revealing the backdoor’s real listening port, making the traffic harder to trace during incident response.

The ESET analysis says the WIN_DRV version can create a stealthy passive TCP backdoor. It relies on the RawWNPF driver to redirect specially crafted packets to the hidden backdoor service.

WIN_PLUS Relies on Windows Persistence Tricks

The second Windows variant, WIN_PLUS, does not use the RawWNPF driver. Instead, it uses a different approach built around DLL loading, Windows print processor persistence, and encrypted payload storage.

The first-stage loader registers itself as a print processor through the Windows registry, then copies files into Windows spooler-related folders. It also restarts the print spooler service to trigger execution and remove traces from the original deployment location.

Both Windows variants decrypt payloads using 128-bit AES in ECB mode with a hardcoded key. They then inject the SprySOCKS backdoor into a newly created svchost.exe process using process doppelganging.

The Backdoor Supports More Than 30 Commands

SprySOCKS for Windows gives attackers a wide range of remote-control features. The backdoor can collect system information, list processes, manage services, move files, create files, delete files, transfer data, and run commands through cmd.exe.

It also supports keylogging and clipboard capture, but the keylogger does not run automatically in every case. ESET says keylogging activates only when a specific configuration file exists under the user’s AppData path and contains the right key value.

The malware communicates over TCP, UDP, and WebSocket. In the WIN_PLUS variant, researchers found a hardcoded command-and-control address at 207.148.78[.]36, with communication over TCP port 443, UDP port 53, and WebSocket port 80.

• System information collection
• Process enumeration
• Service management
• File listing, creation, deletion, and transfer
• Remote shell access through cmd.exe
• SOCKS proxy support
• Keylogging and clipboard capture when enabled
• TCP, UDP, and WebSocket command-and-control channels

Possible UEFI Bootkit Link Needs Careful Handling

ESET found limited indications that some SprySOCKS attack scenarios may involve a UEFI bootkit component, possibly connected to CVE-2023-24932. That does not mean every SprySOCKS infection uses a bootkit or that exploitation has been confirmed across all observed cases.

Microsoft guidance describes CVE-2023-24932 as a Secure Boot bypass linked to the BlackLotus UEFI bootkit. Microsoft says mitigations require revoking vulnerable boot managers, which can affect some boot configurations.

For enterprises, this means Secure Boot hardening should not be rushed without testing. Microsoft’s CVE-2023-24932 protections require planning, updated recovery media, and validation across device classes before enforcement.

Who FishMonger Targets

FishMonger is associated with China-linked espionage activity and is also tracked as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10. ESET says the group is believed to be operated by the Chinese contractor I-SOON and falls under the wider Winnti Group umbrella.

The group has previously targeted universities in Hong Kong, government entities, foreign affairs organizations, technology organizations, and telecommunications-related targets. Its broader toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, BIOPASS RAT, and SprySOCKS.

The earlier Trend Micro report also said Earth Lusca frequently targeted public-facing servers and exploited known server-side vulnerabilities. That matches ESET’s view that public-facing systems may have played a role in some Windows SprySOCKS compromises.

How Defenders Can Detect SprySOCKS Activity

Organizations should focus on both endpoint artifacts and behavior. The presence of unusual files in Windows Fonts, spooler, or AppData paths should trigger investigation, especially when paired with suspicious registry keys or unexpected print processor entries.

Defenders should also monitor for unsigned or suspicious kernel drivers, hidden network activity, process injection into svchost.exe, and abnormal communication with external IP addresses over ports 443, 53, and 80.

Public-facing servers should remain fully patched because FishMonger has a history of exploiting known vulnerabilities. Logs should also be reviewed for unusual access to web servers, VPN portals, remote management services, and administrative interfaces.

Area to check	Suspicious sign	Why it matters
Windows Fonts folder	Unexpected .dat files or DLLs	WIN_DRV stores encrypted components there
Print processor registry keys	Unknown VSPMsg entry	WIN_PLUS can persist through print processor abuse
svchost.exe	Unexpected injected payload behavior	Both variants inject into svchost.exe
Kernel drivers	Unknown driver loading activity	WIN_DRV uses drivers to hide activity
Network traffic	Connections to 207.148.78[.]36	Known C2 address in the WIN_PLUS campaign

SprySOCKS Shows FishMonger Is Still Improving Its Toolkit

The Windows version of SprySOCKS gives FishMonger a more complete espionage toolkit. The group can now target Windows environments with stealth features that go beyond normal backdoor behavior.

For defenders, the most important lesson is practical. Patch public-facing systems, restrict administrative access, monitor driver loading, review print processor changes, and treat unusual svchost.exe activity as a high-priority signal.

FAQ