China-Linked SprySOCKS Backdoor Targets Windows with Kernel Driver Stealth

Cybersecurity researchers at ESET have uncovered two previously undocumented Windows variants of SprySOCKS, a backdoor long believed to operate exclusively on Linux systems. Internally labeled WIN_DRV and WIN_PLUS, both versions ship with hard-coded command-and-control (C2) configurations and support communication over TCP, UDP, and WebSocket protocols. The malware exposes more than 30 commands enabling system information collection, process enumeration, service management, and file system operations, mirroring the extensive functionality of its Linux predecessor first documented by Trend Micro in September 2023.

The WIN_DRV variant stands out for its use of a kernel driver called RawWNPF ("KW1B5206BDC1743FD.dat"), loaded via an encrypted helper named DriverLoader ("KX1B5206BDC1743DD.dat"). This driver-level component conceals the malware's network connections, processes, files, and registry keys from host-based defenses, while also enabling TCP traffic diversion that allows operators to reach the backdoor through a random port on the victim device without exposing its true listening port. The infection chain leverages a batch script and scheduled task to initiate a DLL side-loading sequence that deploys SprySOCKS alongside its driver components, and the group has historically gained initial access by exploiting N-day Fortinet vulnerabilities. Defenders investigating suspicious activity can use a port scanner to identify unexpected listening services, while a VPN/proxy detector can help reveal C2 traffic masquerading as legitimate connections.

ESET tracks the threat cluster as FishMonger, a cyber espionage group operating under the broader Winnti umbrella and linked to the China-nexus contractor i-Soon. The actor is also known across the industry as Earth Lusca, Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel, and has been active since at least 2021. In March 2025, ESET connected FishMonger to Operation FishMedley, a global campaign that compromised seven organizations across Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022. SprySOCKS is built on the Trochilus Windows RAT and shares significant code overlap with the RedLeaves backdoor, while Trochilus itself has been tied to another Chinese actor known as Webworm, which exhibits tradecraft commonalities with both FishMonger and SixLittleMonkeys.

The expansion of SprySOCKS to Windows with kernel-level evasion capabilities marks a notable escalation in the group's operational maturity. Organizations are advised to monitor for the specific driver filenames and the DLL side-loading patterns documented by ESET, and to verify that public-facing Fortinet appliances are fully patched against previously exploited flaws. Security teams conducting post-incident analysis should consider running a DNS leak test on affected endpoints to detect covert DNS tunneling, and reviewing historical records against an WHOIS lookup to identify infrastructure overlaps with known FishMonger C2 servers.