Ethical Hacking News
A new variant of the SprySOCKS backdoor, specifically designed for Windows systems, has been discovered by ESET researchers. This variant leverages kernel drivers to increase stealthiness and remains part of a larger toolkit attributed to China-linked threat actor FishMonger, expanding its cross-platform capabilities and evading detection tools. The discovery highlights the ongoing evolution of tactics employed by Chinese state-linked groups and underscores the importance of adapting security measures to address emerging threats.
FishMonger, a China-linked threat actor, has developed two new variants of the SprySOCKS backdoor for Windows systems. The newly discovered variants, WINDrv and WIN_Plus, utilize kernel drivers to remain stealthy and evade detection. WINDrv is more technically interesting, using a kernel driver to hide network connections and processes from detection tools. WIN_Plus takes a different approach by leveraging the Windows Print Spooler service as its starting point. The discovery highlights the need for constant updates in threat intelligence and security measures to stay ahead of emerging threats.
China-linked threat actor, FishMonger, has expanded its toolkit by developing a new variant of the SprySOCKS backdoor for Windows systems. The newly discovered Windows version, dubbed WIN_DRV and WIN_PLUS, leverages kernel drivers to remain stealthy and evade detection, adding another layer of complexity to the already sophisticated attacks attributed to FishMonger.
ESET researchers have confirmed that these two variants are part of SprySOCKS version 1.8, sharing core architecture with the Linux variant previously documented by Trend Micro in September 2023. The discovery indicates a significant expansion of FishMonger's cross-platform capabilities and highlights the evolving tactics employed by Chinese state-linked groups.
WINDrv is the more technically interesting variant, utilizing a kernel driver named RawWNPF to hide network connections and processes from detection tools operating at user levels. This backdoor also implements TCP traffic diversion, creating a stealthy passive TCP backdoor that relies on the kernel driver to redirect communications to a hidden TCP port. The attack chain begins with an undetermined initial access method, culminating in a DLL side-loading sequence that installs the backdoor and its driver components.
WIN_Plus takes a different approach by leveraging the Windows Print Spooler service as its starting point. A first-stage loader runs as a print processor, injecting a SprySOCKS loader into a newly created svchost.exe process to launch the backdoor. This variant uses the Print Spooler abuse as a potential indicator for detection, making it harder for security tools to identify.
The implications of this discovery are significant for defenders, who must now include kernel-level driver activity and Print Spooler abuse in their threat intelligence and detection rules. The Windows port of SprySOCKS retains most of the core architecture of its Linux predecessor but substitutes Windows-native mechanisms where required, enhancing stealthiness by incorporating kernel drivers.
The discovery also points to a UEFI bootkit potentially exploiting CVE-2023-24932, associated with BlackLotus, although confirmation remains unclear. This component would provide persistence that survives OS reinstalls, adding another layer of challenge for security professionals in detecting and removing these advanced threats.
Pierluigi Paganini is an author and researcher at Security Affairs. He has been tracking the Winnti umbrella under which FishMonger and other groups operate. The evolving tactics employed by Chinese state-linked groups underscore the need for constant updates in threat intelligence and security measures to stay ahead of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Layer-of-Stealth-China-Linked-FishMongers-Windows-SprySOCKS-variant-Baffles-Security-Experts-ehn.shtml
https://securityaffairs.com/193728/apt/china-linked-fishmonger-ports-sprysocks-to-windows-with-kernel-level-stealth-and-uefi-bootkit-hints.html
Published: Thu Jun 18 01:59:37 2026 by llama3.2 3B Q4_K_M
