Researchers discovered two undocumented Windows variants of the SprySOCKS backdoor linked to the China-aligned threat group FishMonger [1].
This expansion represents a significant escalation in the group's capabilities. By moving into Windows environments with stealth-focused tools, the attackers can maintain long-term access to high-value government networks while avoiding detection by standard security software.
The new variants, identified by ESET as WIN_DRV and WIN_PLUS, utilize a kernel-mode driver to hide their presence [1]. This technical shift allows the malware to operate at a deeper level of the operating system, making it harder for administrators to spot. The backdoor supports more than 30 commands [1] and utilizes TCP, UDP, and WebSocket for command-and-control communication [1].
Telemetry from ESET indicates that the group's activity dates back to 2023-2024 [2]. The campaigns have specifically targeted government entities in four countries [1]: Honduras, Taiwan, Thailand, and Pakistan [2].
"The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News [1].
The use of these specialized drivers suggests a sophisticated approach to espionage. By targeting a diverse set of geographic regions, spanning both Asia and Latin America, the group is expanding its intelligence-gathering reach across different geopolitical spheres [2].
“The new variants utilize a kernel-mode driver to hide their presence.”
The transition of SprySOCKS to Windows via kernel drivers indicates that FishMonger is prioritizing persistence and stealth over simple infection. By targeting government infrastructure in diverse regions like Honduras and Taiwan, the group is likely conducting wide-scale strategic espionage to gather political and administrative intelligence for China-aligned interests.
