- ESET researchers have fished out two previously out-of-radar variants of SprySOCKS for Windows, a backdoor tool previously believed to only run on Linux systems.
- The stealthier of the two variants uses kernel drivers to conceal its files, processes, registry keys, and network connections from detection.
- ESET telemetry confirms real-world attacks from 2023 to 2024, with government entities in Taiwan, Honduras, Pakistan, as well as Thailand among the known victims.
A backdoor that the cybersecurity community once considered a Linux-exclusive threat has now crossed over to Windows. ESET researchers have identified two previously unknown Windows versions of SprySOCKS, a backdoor tool linked to FishMonger, a China-nexus espionage group that researchers believe a Chinese contractor named I-SOON operates. The discovery marks a significant escalation in the group’s capabilities and reach.
ESET initially found the malware samples on VirusTotal, but the firm’s own telemetry confirmed the group deployed them against real targets between 2023 and 2024. Government organizations in Honduras, Taiwan, Thailand, and Pakistan were among the confirmed victims.
Two New Variants, One More Dangerous Than the Other
ESET researchers have internally labeled the two Windows variants WIN_DRV and WIN_PLUS. Both variants carry a hardcoded command-&-control setup and foster communication across UDP, TCP, and even WebSocket protocols.
Each variant also supports more than 30 remote commands covering system information collection, process enumeration, service management, and file operations including listing, creating, deleting, and transferring files.
The WIN_DRV variant is the more alarming of the two. According to ESET, this version uses kernel drivers to hide the malware’s network connections, active processes, files, and registry keys from security tools.
It also facilitates TCP traffic manipulation, enabling operators to give commands out that the backdoor receives with the help of a randomized TCP port on the device of the target without ever exposing the backdoor’s real listening port in network traffic. That design makes it significantly harder for defenders to detect or trace.
ESET also flagged limited indicators suggesting that some SprySOCKS attack scenarios may involve a UEFI bootkit component, with the possibilities of exploiting a known vulnerability tracked as CVE-2023-24932.
Who is FishMonger and How Did SprySOCKS Get Here
FishMonger sits under the broader Winnti Group umbrella, one of the most persistent and sophisticated China-aligned threat clusters known to researchers.
The group connects to Earth Lusca, a threat actor also tracked under the names Bronze University, Aquatic Panda, RedHotel, as well as Charcoal Typhoon.
Analysts assess the group as active for as long as 2021, primarily targeting government departments focused on foreign affairs, technology, and telecommunications.
SprySOCKS itself has a long history. Trend Micro first publicly documented the backdoor in September 2023 as a Linux tool, noting its roots in Trochilus, an open-source Windows remote access trojan whose code leaked publicly in 2017.
FishMonger later adapted it for Linux operations. ESET’s new findings show the group has now rebuilt it for Windows with significant stealth upgrades, signaling a deliberate effort to broaden the tool’s operational reach.
Why this Discovery Changes the Threat Landscape
In March 2025, ESET published a report linking FishMonger to a global campaign called Operation FishMedley, targeting seven organizations across multiple countries. The discovery of these new Windows variants reinforces the group’s continued investment in upgrading its tooling and expanding its targeting scope.
According to ESET, the firm attributes the new Windows variants to FishMonger with high confidence based on technical analysis. For organizations running Windows systems in government or critical infrastructure sectors, particularly across Asia and Latin America, the emergence of a kernel-level, traffic-hiding variant of this backdoor represents a threat that demands immediate attention.
The threat landscape includes both state-sponsored and criminal tools. A Linux PAM backdoor called PamDOORa is being offered for sale on a cybercrime forum, showing how sophisticated stealth techniques are available to both groups.
