A recent analysis by ESET has revealed that a backdoor utilized by a China-aligned espionage group has made a significant leap from its original Linux platform to the Windows operating system. This backdoor, known as SprySOCKS, has recently acquired an advanced kernel-level stealth capability, allowing it to evade detection by the various tools cybersecurity defenders depend on to recognize intrusions.
ESET’s newly published findings identify two previously undocumented versions of SprySOCKS specifically designed for Windows, referred to as WIN_DRV and WIN_PLUS. These variants are notably equipped with hardcoded command-and-control (C2) configurations and come packed with a wide array of espionage functionalities.
Upon investigation, ESET telemetry traced actual attack activities to the years 2023 and 2024. These operations primarily targeted governmental institutions in regions such as Honduras, Taiwan, Thailand, and Pakistan. SprySOCKS made its initial appearance in 2023 as a Linux backdoor, but its transition to Windows presenting new challenges for cybersecurity professionals.
### Hiding in the Kernel
Of the two variants identified, WIN_DRV is particularly concerning due to its employment of a kernel driver that functions as a rootkit. This enables it to conceal malware files, active processes, registry entries, and network connections from standard detection tools like netstat. The rootkit’s stealth capabilities allow the operators to access the backdoor discreetly; it reroutes traffic from any open port to a hidden backdoor port whenever a specific marker is detected within the data packets. This carefully orchestrated concealment keeps the actual destination hidden from sight, making it increasingly difficult for cybersecurity measures to track malicious activity.
WIN_DRV and WIN_PLUS share operational characteristics, communicating with their operators through three primary channels: TCP, UDP, or WebSocket, with each variant capable of operating either as a client or server. Together, these backdoors possess support for over 30 operational commands, ranging from system and network reconnaissance to file manipulation and tunneling via a built-in SOCKS proxy.
In addition to its impressive array of functionalities, the malware has the capability to log keystrokes and capture clipboard contents if activated. Furthermore, it creates a Windows firewall rule to allow its traffic to pass through unimpeded, raising the stakes for organizations targeted by this sophisticated cyber espionage tool.
### Part of a Wider Espionage Toolkit
The FishMonger group, also recognized under the aliases Earth Lusca and Aquatic Panda, is known to operate within the broader Winnti umbrella and is believed to be based in Chengdu, China. This group’s toolkit is extensive, previously including elements such as ShadowPad, Cobalt Strike, and the Biopass RAT. Interestingly, it is thought that the group might be linked to contractor I-Soon, whose employees faced indictment in the United States in March 2025 for their involvement in hacking-for-hire operations.
While ESET has not confirmed the specific methods the attackers used to infiltrate target networks, it is well-documented that FishMonger typically exploits unpatched public-facing servers. Once inside a system, the malware is adept at concealing itself among legitimate signed Windows files via DLL side-loading, ensuring it remains undetected and sets itself up to run at system startup.
What is particularly alarming is ESET’s discovery of limited indications suggesting that some attacks might extend even deeper into a UEFI bootkit, potentially executing before the Windows operating system itself loads. This development poses a significant concern for cybersecurity defenders, as such advanced techniques complicate mitigation and response efforts.
In conclusion, the latest findings underscore the ongoing challenges faced by cybersecurity professionals in combating sophisticated, state-aligned threats such as those posed by FishMonger. With its transition to Windows and the addition of advanced stealth features, the SprySOCKS backdoor serves as a stark reminder of the continually evolving landscape of cyber espionage. Cybersecurity experts are urged to maintain vigilance and meticulously monitor activities associated with this group to safeguard critical infrastructures from future intrusions.