ESET researchers have discovered two as-yet undocumented Windows variants (WIN_DRV and WIN_PLUS) of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I-SOON. While ESET initially discovered the malware samples on VirusTotal uploaded in April 2024, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations.
The WIN_DRV variant includes support for over 30 Command and Control (C&C) commands, covering various functionalities, including system information collection and process enumeration as well as service management and file management functions, such as listing, creating, deleting, and transferring files.
In addition to the core backdoor functionality, FishMonger’s backdoor weaponizes a kernel driver for advanced stealth. SprySOCKS utilizes this driver to hide the malware’s network connections, processes, files, and registry keys and enables TCP traffic diversion, allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor’s real listening port in the network traffic.
Based on ESET telemetry, there are limited indications that some SprySOCKS attack scenarios could involve a UEFI bootkit component, possibly exploiting CVE 2023 24932.
FishMonger — believed to be operated by a Chinese contractor named I-SOON — is a cyberespionage group that falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu. It is also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10. ESET Research published an analysis of FishMonger in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. The group is also known to operate watering-hole attacks. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
For a more detailed analysis about FishMonger’s latest arsenal, check out the ESET Research blog post “Fishmonger’s arsenal upgraded: SprySOCKS for Windows” on WeLiveSecurity.com.
Related
This entry was posted on June 16, 2026 at 1:15 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ESET Research: China-aligned FishMonger updates its arsenal, targets governments in Asia and Latin America
ESET researchers have discovered two as-yet undocumented Windows variants (WIN_DRV and WIN_PLUS) of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I-SOON. While ESET initially discovered the malware samples on VirusTotal uploaded in April 2024, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations.
The WIN_DRV variant includes support for over 30 Command and Control (C&C) commands, covering various functionalities, including system information collection and process enumeration as well as service management and file management functions, such as listing, creating, deleting, and transferring files.
In addition to the core backdoor functionality, FishMonger’s backdoor weaponizes a kernel driver for advanced stealth. SprySOCKS utilizes this driver to hide the malware’s network connections, processes, files, and registry keys and enables TCP traffic diversion, allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor’s real listening port in the network traffic.
Based on ESET telemetry, there are limited indications that some SprySOCKS attack scenarios could involve a UEFI bootkit component, possibly exploiting CVE 2023 24932.
FishMonger — believed to be operated by a Chinese contractor named I-SOON — is a cyberespionage group that falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu. It is also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10. ESET Research published an analysis of FishMonger in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. The group is also known to operate watering-hole attacks. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
For a more detailed analysis about FishMonger’s latest arsenal, check out the ESET Research blog post “Fishmonger’s arsenal upgraded: SprySOCKS for Windows” on WeLiveSecurity.com.
Share this:
Like this:
Related
This entry was posted on June 16, 2026 at 1:15 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.