CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

Chinese Hacking Firm Upgrades With New Windows Backdoor

Data Breach Today Archived Jun 16, 2026 ✓ Full text saved

Researchers Identified Two Undocumented Variants Used Since 2023 Eset uncovered two previously undocumented Windows variants of the China-linked SprySocks backdoor tied to FishMonger and iSoon, revealing expanded espionage capabilities, rootkit-based stealth and continued targeting of government organizations across Asia and Central America.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Fraud Management & Cybercrime , Government , Industry Specific Chinese Hacking Firm Upgrades With New Windows Backdoor Researchers Identified Two Undocumented Variants Used Since 2023 Tiffany Wang • June 16, 2026     Credit Eligible Get Permission Image: Shutterstock/ISMG Security researchers spotted two undocumented Windows backdoors linked to Chinese espionage threat activity targeting government organizations in Asia and Central America between 2023 and 2024. See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach. The newly discovered variants are an upgrade of SprySocks, a Linux backdoor tied to the Chinese threat actor tracked as FishMonger or Earth Lusca and hacking contractor iSoon. The malware supports more than 30 command and control functions and uses kernel drivers to hide its true network ports, cybersecurity firm Eset said. The variants retain the core architecture of their Linux predecessor but adopt Windows-native mechanisms for cross-platform functionality and introduce additional evasion techniques. "This backdoor was previously believed to be Linux-only, with no known Windows variant. Our findings demonstrate that Windows variants do exist," said Martin Smolár, senior malware researcher at Eset. FishMonger is believed to be operated by a private hacking contractor, iSoon from Chengdu, China, to carry out long-term intelligence gathering and data theft. Several iSoon executives were indicted by a U.S. federal court in 2024 for alleged cybercrimes. Smolár said whether the legal action affected FishMonger's operations or the newly discovered backdoor variants is an open question (see: US Prosecutors Indict iSoon Chinese Hacking Contractors). The Linux version of the backdoor, first discovered in 2023, was used in attacks targeting government agencies involved in foreign affairs, technology and telecommunications worldwide. It is based on an open-source Windows remote access Trojan that consists of a loader and an encrypted main payload. The only command and control IP address identified in the Windows campaign belonged to the same IP range as a SprySocks delivery server used by FishMonger in 2023. The new Windows variants preserve much of the Linux version's architecture, including the C&C message format, encryption keys and algorithms and the HP-Socket network communication framework. What's different is that variants support communications over TCP, UDP and WebSocket protocols and add new C&C commands for system information collection, process enumeration, service management, and file creation and transfer. The Windows variants are also stealthier, relying on a kernel-level rootkit to conceal malicious activity. "SprySocks utilizes this driver to hide the malware's network connections, processes, files, and registry keys and enables TCP traffic diversion, allowing the malware operators to send commands to the backdoor through a random TCP port on the victim’s device without exposing the backdoor’s real listening port in the network traffic," Eset wrote. The campaign primarily targeted government organizations in Honduras, Taiwan, Thailand and Pakistan. Eset's telemetry also suggests that some attacks may have involved a Unified Extensible Firmware Interface bootkit, indicating the threat actor could be exploiting CVE-2023-24932, a secure boot bypass vulnerability in Windows Boot Manager. The flaw allows attackers to execute untrusted software during the boot process at the firmware level, undermining Secure Boot's protections.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗