Researchers at ESET have uncovered two previously undocumented Windows versions of SprySOCKS, a backdoor used by the China-aligned cyberespionage group ESET tracks as FishMonger, and one of the new builds goes to unusual lengths to stay invisible on infected machines.
SprySOCKS was, until now, known only as a Linux tool. The two Windows variants, labeled WIN_DRV and WIN_PLUS by their own developers, were used in real intrusions between 2023 and 2024 that mostly hit government organizations in Honduras, Taiwan, Thailand, and Pakistan, according to ESET telemetry.
Who is behind it
FishMonger is widely linked to the Chinese contractor I-SOON (also written Anxun) and sits under the broader Winnti umbrella of China-nexus groups. Other vendors track overlapping activity as Earth Lusca, TAG-22, or Aquatic Panda. The group fits a now familiar pattern of China-linked operations against governments and technology firms, and ESET says it attributes the new Windows samples to FishMonger with high confidence, citing shared command-and-control formats, encryption keys, and code reuse with the earlier Linux backdoor.
How the attack works
FishMonger typically breaks in by exploiting unpatched, internet-facing servers, then plants the backdoor using DLL side-loading: a legitimate, signed Windows program (renamed to look like a Microsoft component) is tricked into loading the attackers' malicious library. A scheduled task and registry changes keep it running with SYSTEM privileges, with files tucked away in the Windows Fonts folder.
The standout feature is in the WIN_DRV build, which installs a kernel driver named RawWNPF. A kernel driver runs at the most privileged layer of Windows, so it can lie to the rest of the system. This one hides the malware's files, processes, registry keys, and network connections from tools like netstat, and it can quietly redirect traffic arriving on any open port to the backdoor's hidden listening port whenever a specially crafted packet shows up. That lets operators reach the implant without hard-coding a server address into it, and even captured traffic does not reveal the real destination port. The same long-dwell stealth has let China-linked crews sit inside critical networks for years.
To slip the driver past Windows' signature checks, the attackers signed it with a leaked code-signing certificate pulled from a public GitHub project. ESET also found limited signs that some intrusions may involve a UEFI bootkit, possibly abusing CVE-2023-24932. The backdoor itself supports more than 30 commands over TCP, UDP, and WebSocket, covering file theft, process control, and system reconnaissance.
What defenders should do
Patch and harden public-facing applications, since that is FishMonger's usual way in. Hunt for DLL side-loading from unexpected directories such as the Fonts folder, watch for kernel drivers signed with known-leaked certificates, and alert on scheduled tasks that imitate Microsoft binaries. ESET credits its own research team with the discovery; you can read the original report for full technical detail.
Indicators of compromise
DLL side-loading host, a legitimately signed executable the attackers rename and abuse, SHA-1 ffc3aa7909d4e72c360d65a1f45260dffe5c99b7. Defenders should also watch for the dropped kernel driver fsdiskbit.sys and a scheduled task named ApphostRagistreationVerifier.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.