Emerging ThreatsMalware & Ransomware

China-Linked Backdoor Expands to Windows with Kernel Stealth

Analyst 207||Source: InfoSecMag
Government agency office interior with computer workstations and a desk, featuring soft natural light and muted colors.

ESET telemetry traced real activity to 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand and Pakistan.

Windows variants: WIN_DRV and WIN_PLUS

New analysis from ESET has identified two previously undocumented Windows versions of SprySOCKS, a backdoor tied to a China-aligned espionage group known as FishMonger. The two builds—marked WIN_DRV and WIN_PLUS—arrive with hardcoded command-and-control (C2) settings and a wide set of espionage features. SprySOCKS was first documented as a Linux backdoor in 2023; ESET’s telemetry shows the Windows activity in 2023 and 2024.

WIN_DRV’s kernel-level stealth

The stealthier variant, WIN_DRV, relies on a kernel driver that functions as a rootkit. According to ESET, that driver hides the malware’s files, processes, registry keys and network connections so they do not appear to common diagnostic tools such as netstat. The driver also provides an operational stealth mechanism: it can quietly reroute traffic from any open port to the backdoor’s hidden port when a specific packet marker is present, keeping the real destination out of sight while enabling the operator to connect without obvious forensic traces.

Capabilities, channels and persistence

Both Windows variants support three communications channels—TCP, UDP and WebSocket—and can operate as either client or server. Together they expose more than 30 commands. ESET lists the supported command categories as:

  • System and network reconnaissance
  • Process enumeration and termination
  • Service creation, control and deletion
  • File listing, transfer, deletion and execution
  • A built-in SOCKS proxy for tunneling

Beyond those core functions, the backdoor can log keystrokes and clipboard contents when enabled, and it quietly adds a Windows firewall rule to permit its traffic. On compromised devices the malware hides among legitimate, signed Windows files via DLL side‑loading and sets itself to run at startup, ESET reported.

FishMonger, I‑Soon, and the wider toolkit

ESET attributes SprySOCKS to FishMonger—also tracked as Earth Lusca and Aquatic Panda—describing the group as operating under the Winnti umbrella and “believed to run out of Chengdu, China.” The firm noted that FishMonger’s toolkit already included ShadowPad, Cobalt Strike and the Biopass RAT. ESET also referenced public reporting that Chinese contractor I‑Soon is believed to operate the group; employees of I‑Soon were indicted in the US in March 2025 over hacking‑for‑hire operations.

ESET could not confirm initial access vectors for the observed intrusions, but noted FishMonger typically exploits unpatched public‑facing servers. On the host, the malware’s use of DLL side‑loading and startup persistence allows it to blend into signed‑file activity.

What this means for government bodies, security teams, and network operators

  • Government bodies targeted in ESET telemetry (Honduras, Taiwan, Thailand and Pakistan): must assume a Windows-capable variant of SprySOCKS exists in the wild and review exposed public‑facing services and recent incident logs for the described stealth techniques.
  • Security teams and endpoint defenders: should be aware the WIN_DRV driver hides artifacts at kernel level, can add firewall exceptions, and may be installed via DLL side‑loading—techniques that reduce the visibility of standard tools like netstat and typical file/process listings.
  • Network operators and intrusion analysts: need to account for alternative C2 channels (TCP, UDP, WebSocket) and for traffic rerouting behaviors that can conceal true destinations, as well as the presence of a built‑in SOCKS proxy that can be abused for tunneling.

Most concerning among ESET’s findings were limited signs that some attacks may reach deeper than the Windows kernel into a UEFI bootkit that executes before Windows itself. ESET urged defenders to watch FishMonger closely. The combination of kernel‑level concealment, persistent startup techniques and a broad command set makes SprySOCKS’ move from Linux to Windows a tactical escalation that keeps investigators looking where the malware is designed not to be seen.

https://www.infosecurity-magazine.com/news/sprysocks-backdoor-windows/

Emerging ThreatsNation-StateSupply ChainAPTWindows MalwareSprysocksFishmongerChina-Linked BackdoorKernel StealthGovernment Espionage
Related Intelligence

Continue Reading

Laptop on office desk with Microsoft Teams on screen in brightly-lit room.

Ransomware Gang Exploits Microsoft Teams for C2 Traffic

Meet the sneaky ransomware gang that hijacked Microsoft Teams to secretly control its victims' systems for two whole months, using sophisticated cyber tradecraft to stay under the radar. They pulled off this impressive heist with a custom backdoor and some clever C2 traffic disguises.

Analyst 207
Smartphone on cluttered table with blurred screen, surrounded by scattered financial papers.

Rokarolla Malware Targets Android Banking Apps with 137 Commands

Meet Rokarolla, a sneaky Android banking trojan that's taking aim at 217 banking and cryptocurrency apps with an arsenal of 137 remote commands, giving attackers alarming control over infected phones. This malicious malware is designed to outsmart even Google's Play Protect defenses, putting your financial security at risk.

Analyst 207
Concerned person sits at desk with laptop and papers, surrounded by signs of a modest home office.

FTC Warns of $3.5 Billion Losses to Imposter Scams

The Federal Trade Commission is sounding the alarm on imposter scams, which have led to a staggering $3.5 billion in losses - nearly triple the amount reported in 2020. This pervasive form of fraud has become the most reported category, accounting for almost a third of all fraud reports filed with the FTC.

Analyst 207
Person holds smartphone with blurred screen in a public area, expression neutral.

Rokarolla Trojan Enables Unseen Banking Fraud via Device Takeover

Meet Rokarolla, a sneaky Android banking trojan that's taking device takeover to a whole new level, allowing scammers to isolate and exploit victims like never before. This malicious malware doesn't just steal credentials - it gives attackers total control over your phone.

Analyst 207