"The discovery of a Windows variant of SprySOCKS, previously known as Linux-only backdoor, represents a meaningful expansion of FishMonger's cross-platform capabilities," ESET said.
ESET's finding: two Windows variants tied to SprySOCKS version 1.8
Slovakian vendor ESET shared with The Hacker News that it identified two previously undocumented Windows builds of SprySOCKS internally marked as WIN_DRV and WIN_PLUS. Both are version 1.8 artifacts and are DLL-based backdoors that include a hard-coded command-and-control (C&C) configuration and support three communication channels — TCP, UDP, and WebSocket. ESET's analysis found the Windows ports retain "most of the core architecture" of the Linux predecessor, including the C&C protocol, encryption, and command handling logic, while substituting Windows-native mechanisms where required, according to researcher Martin Smolár.
WIN_DRV: kernel drivers, RawWNPF and TCP traffic diversion
The WIN_DRV sample pairs the backdoor with kernel-mode components to increase stealth. ESET identified a kernel driver named RawWNPF, delivered as the file "KW1B5206BDC1743FP.dat", and a second encrypted driver named DriverLoader ("KX1B5206BDC1743DD.dat") used to load it. The drivers are used to conceal the malware's network connections, processes, files, and registry keys. WIN_DRV also implements a TCP traffic-diversion capability that permits operators to send commands to the backdoor through a random TCP port on the victim device without exposing the backdoor's actual listening port in network traffic.
WIN_PLUS: Print Spooler start, print processor loader, and svchost injection
WIN_PLUS follows a different execution scheme. ESET observed that WIN_PLUS leverages the Windows Print Spooler service ("spoolsv.exe") to execute a first-stage loader that runs as a print processor. That loader is designed to inject and run a SprySOCKS loader inside a newly created "svchost.exe" process to launch the backdoor. Both WIN_DRV and WIN_PLUS implement the same set of operator commands — ESET reported more than 30 — covering system information collection, process enumeration, service listing and management, file upload/download, initializing a SOCKS proxy, and launching an interactive operator console.
Lineage: Trochilus, RedLeaves, Webworm, and FishMonger ties
ESET and prior reporting tie SprySOCKS to a family of Chinese-linked tooling and clusters. SprySOCKS was first publicly documented by Trend Micro in September 2023 and attributed to an actor Trend Micro calls Earth Lusca. ESET notes the backdoor is based on a Windows remote access trojan called Trochilus and shares source-code traits with RedLeaves. The use of Trochilus has also been linked to another actor named Webworm, which in turn has "tradecraft commonalities" with FishMonger and a cluster known as SixLittleMonkeys. The Slovakian vendor that assigned the FishMonger name described the group as a cyber espionage cluster that falls under the broader Winnti umbrella and, in March 2025, linked it to Operation FishMedley — a global campaign that targeted seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022.
Operational footprint: deployments, initial access, and UEFI indications
ESET reports evidence the Windows artifacts may have been deployed between 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan. The WIN_PLUS variant was first detected in July 2024 on a victim device geolocated to Pakistan. The observed attack chain drops a batch script that creates and executes a scheduled task, which triggers a DLL side-loading chain to place the backdoor and its driver components. ESET notes the initial access pathway for those deployments remains undetermined, although the group has previously exploited N-day flaws in public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra instances to obtain a foothold.
There are also "limited indications" that a UEFI bootkit may have been involved, likely exploiting CVE-2023-24932 — a security feature bypass in the Windows Boot Manager with a CVSS score of 6.7 — a flaw Microsoft addressed in May 2023.
What this means for technologists, policymakers, and targeted governments
- Technologists and security teams: Expect to hunt for kernel driver loading activity, DLL side-loading chains, scheduled tasks that drop launchers, and Print Spooler–based first-stage loaders; note the use of TCP/UDP/WebSocket channels and the reported TCP traffic diversion technique when examining anomalous network behavior.
- Policymakers and regulators: The addition of Windows-capable implants to a cluster previously observed on Linux expands cross-platform espionage risk and intersects with previously disclosed N-day exploitation; agencies responsible for software updates and incident reporting will need to consider cross-platform attribution and remediation timelines.
- Targeted government organizations (Honduras, Taiwan, Thailand, Pakistan): The Windows detections and a July 2024 WIN_PLUS finding in Pakistan highlight active exploitation against government networks and underscore the value of investigating persistent scheduled tasks, side-loaded DLLs, and potential UEFI persistence.
SprySOCKS' migration to Windows, the addition of kernel-based concealment and Print Spooler–anchored loaders, and the limited UEFI indicators together mark a pragmatic widening of capability. ESET's report leaves open the initial access vector for the Windows deployments even as it documents concrete tools and files — a contrast between visible implant mechanics and the still-unresolved entry point that investigators and defenders must close.
