BRATISLAVA — June 16, 2026 — ESET researchers have discovered two as-yet undocumented Windows variants (WIN_DRV and WIN_PLUS) of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I-SOON. While ESET initially discovered the malware samples on VirusTotal uploaded in April 2024, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations.
The WIN_DRV variant includes support for over 30 Command and Control (C&C) commands, covering various functionalities, including system information collection and process enumeration as well as service management and file management functions, such as listing, creating, deleting, and transferring files.
In addition to the core backdoor functionality, FishMonger’s backdoor weaponizes a kernel driver for advanced stealth. SprySOCKS utilizes this driver to hide the malware’s network connections, processes, files, and registry keys and enables TCP traffic diversion, allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor’s real listening port in the network traffic.
“The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game. Considering the limited indications of possible UEFI bootkit involvement, we advise everyone to keep a close eye on the group’s activities,” says ESET researcher Martin Smolár, who discovered and analyzed FishMonger’s latest arsenal.
Based on ESET telemetry, there are limited indications that some SprySOCKS attack scenarios could involve a UEFI bootkit component, possibly exploiting CVE 2023 24932.
FishMonger — believed to be operated by a Chinese contractor named I-SOON — is a cyberespionage group that falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu. It is also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10. ESET Research published an analysis of FishMonger in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. The group is also known to operate watering-hole attacks. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
For a more detailed analysis about FishMonger’s latest arsenal, check out the ESET Research blog post “Fishmonger’s arsenal upgraded: SprySOCKS for Windows” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
Execution chain of the SprySOCKS WIN_DRV variant
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。