Cybersecurity researchers have recently uncovered two previously undocumented Windows variants of the backdoor known as SprySOCKS, which was initially thought to be exclusive to Linux systems. According to a report from ESET shared with The Hacker News, these Windows variants are designated as WINDRV and WINPLUS.
Technical Insights into SprySOCKS Variants
Both variants come equipped with a hard-coded command-and-control (C&C) configuration and are capable of communication through TCP, UDP, and WebSocket protocols. Echoing the capabilities of their Linux counterpart, the Windows versions support over 30 commands that facilitate various operations, including system information collection, process enumeration, service management, and file system interactions. Notably, WIN_DRV employs kernel drivers to obscure the malware’s network connections, processes, files, and registry keys.
Moreover, WIN_DRV introduces TCP traffic diversion, enabling malware operators to issue commands to the backdoor via a random TCP port on the victim’s device, thereby concealing the actual listening port from network traffic analysis.
SprySOCKS was first documented by Trend Micro in September 2023, linking its use to a state-sponsored threat actor from China known as Earth Lusca. This group, also referred to as Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel, has been active since at least 2021 and is believed to be operated by a Chinese contractor named i-Soon.
ESET has categorized this threat cluster as FishMonger, describing it as a cyber espionage group that falls under the broader Winnti umbrella. A report published in March 2025 connected this hacking group to a global campaign named Operation FishMedley, which targeted seven organizations across Taiwan, Hungary, Turkey, Thailand, France, and the United States between January and October 2022.
Architecture and Functionality
SprySOCKS is based on a Windows remote access trojan called Trochilus and shares several characteristics with another backdoor known as RedLeaves, which also exhibits significant source code similarities with Trochilus. The use of Trochilus is associated with another Chinese threat actor, Webworm, which shares tradecraft with both FishMonger and SixLittleMonkeys.
The Windows variants belong to version 1.8 of SprySOCKS. The WIN_DRV sample utilizes a kernel driver named RawWNPF (“KW1B5206BDC1743FP.dat”) for enhanced stealth while maintaining the functionality of its Linux counterpart. This driver is loaded via another encrypted kernel driver called DriverLoader (“KX1B5206BDC1743DD.dat”).
The attack chain begins with an undetermined initial access method that drops a batch script, subsequently creating and executing a scheduled task responsible for triggering a DLL side-loading chain that installs the SprySOCKS backdoor and its driver components. Notably, the group has previously exploited N-day security vulnerabilities in public-facing applications such as Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra to gain access.
ESET researcher Martin Smolár noted that the Windows version retains much of the core architecture of its Linux predecessor, including the C&C protocol, encryption, and overall command handling logic. However, it incorporates Windows-native mechanisms to enhance stealth, particularly through the use of kernel drivers.
Distinct Execution Approaches
The WIN_PLUS execution scheme adopts a different methodology, utilizing the Windows Print Spooler service (“spoolsv.exe”) as a launch point for a first-stage loader that operates as a print processor. This approach is designed to inject and execute a SprySOCKS loader into a newly created “svchost.exe” process, thereby initiating the backdoor.
Both WINDRV and WINPLUS variants function as DLLs, supporting three channels for C2 communications over TCP, UDP, and WebSocket. They execute commands from the operator on compromised hosts, which include collecting system information, launching an interactive console, enumerating processes, retrieving C2 communication details, listing services, initializing a SOCKS proxy, and managing file uploads and downloads.
Evidence suggests that these artifacts may have been deployed in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WIN_PLUS variant was first detected in July 2024 on a device located in Pakistan.
Additionally, there are indications of a potential UEFI bootkit involvement, likely exploiting CVE-2023-24932, a security feature bypass vulnerability in the Windows Boot Manager associated with the notorious BlackLotus UEFI bootkit. Microsoft addressed this security flaw in May 2023.
The emergence of Windows variants of SprySOCKS signifies a notable expansion of FishMonger’s cross-platform capabilities, retaining the core architecture of its Linux predecessor while enhancing stealth through the integration of kernel drivers.
