SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection
Dark ReadingArchived Jun 16, 2026✓ Full text saved
FishMonger, a China-nexus threat group, has deployed an undocumented version of the Linux backdoor against government targets in Honduras, Taiwan, Thailand, and Pakistan.
Full text archived locally
✦ AI Summary· Claude Sonnet
THREAT INTELLIGENCE
CYBERATTACKS & DATA BREACHES
CYBER RISK
VULNERABILITIES & THREATS
NEWS
SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection
FishMonger, a China-nexus threat group, has deployed an undocumented version of the Linux backdoor against government targets in Honduras, Taiwan, Thailand, and Pakistan.
Rob Wright,Senior News Director,Dark Reading
June 16, 2026
4 Min Read
SOURCE: BEEBRIGHT VIA GETTY IMAGES
FishMonger, a notorious nation-state threat group tied to a Chinese technology company, has expanded its tooling with a Windows backdoor that uses kernel drivers to remain undetected.
ESET discovered a previously undocumented version of SprySOCKS, a Linux backdoor that initially was observed in 2023 in threat activity from FishMonger (aka Earth Lusca and Aquatic Panda). Last year, the cyber-espionage group was tied to i-Soon, a Chinese technology company that conducted cyber operations on behalf of the People's Republic of China (PRC).
ESET researchers recently found samples of the Windows version of SprySOCKS on VirusTotal, but further telemetry analysis revealed it had been deployed in the wild in 2023 and 2024. According to an ESET report published today, the Windows variant had been deployed primarily against government organizations in Honduras, Taiwan, Thailand, and Pakistan.
In addition to porting SprySOCKS to Windows, FishMonger actors added new functionality using malicious kernel drivers that allow the backdoor to remain undetected. The newly discovered variant shows how extensive the advanced persistent threat's arsenal is, and once again demonstrates the danger posed by kernel drivers to enterprise security.
Related:China-Nexus Actor Spies on US Researchers Undetected for a Year
Kernel Drivers Provide Cover for SprySOCKS
ESET researchers found two types of the Windows variant in their analysis, internally labeled as WIN_DRV and WIN_PLUS. While both have the core functionality of previous SprySOCKS backdoors, the WIN_DRV version uses kernel drivers for "advanced stealthiness," according to the report.
Specifically, WIN_DRV uses two encrypted kernel drivers, the first of which is fsdiskbit.sys or, as ESET researchers call it, "DriverLoader." The aptly named driver is delivered via the SprySOCKS loader and serves a single purpose: to load the second kernel driver, named "RawWNPF," directly into the memory of the target system.
The RawWNPF driver in turn hides the backdoor's malicious activity and can be configured through the driver's custom I/O control codes (IOCTLs). Because such drivers have privileged access to the Windows kernel, they can be used to kill security processes or, in the case of SprySOCKS, conceal malware's processes and files by intercepting certain system calls and modifying the output.
For example, WRawWNPF hides processes by hooking the execution of the NtQuerySystemInformation Windows system call. "If any of the processes retrieved by this API function match a process from the driver’s list of hidden processes, the driver removes this process from the function’s output," ESET researchers wrote in the report.
Related:China's TA4922 Expands Cybercrime Attacks Globally
The report also noted that DriverLoader was signed with a digital certificate exposed on GitHub in the open source PastDSE project, which allowed it to load on "at least some outdated or misconfigured systems," according to ESET. It's unclear how long the code-signing certificate has been exposed, but Martin Smolár, senior malware researcher at ESET, tells Dark Reading that as far as he knows, it hasn't been revoked yet.
Threat actors often abuse vulnerable, legitimate drivers for malicious tools like EDR killers, which poses challenges for security teams because blocking such drivers might trigger system crashes. But that is not the case with SprySOCKS, according to Smolár.
"All drivers being abused here are malicious and should be subject to detection," he says.
SprySOCKS Windows Variant Delivery Remains a Mystery
It's unclear how FishMonger achieved initial access to victims' networks in the attacks, but ESET researchers have noted that the APT has in the past exploited N-day vulnerabilities on public-facing servers to gain a foothold.
"While we were not able to confirm the exact way FishMonger got into its victims' systems in this campaign, the presence of a server operating system on some of the victim devices along with FishMonger's typical modus operandi suggest that the attackers may well have got in through misconfigured or unpatched public-facing applications," ESET wrote.
Related:China Uses Dual-Method Cyberattack on Czech Orgs
Additionally, ESET noted that its telemetry showed "limited indications" that some of the recent SprySOCKS attacks may have involved a UEFI bootkit component, possibly exploiting CVE‑2023‑24932. "Considering the limited indications of possible UEFI bootkit involvement, we advise everyone to keep a close eye on the group's activities," said the report.
The Windows variant shows a "meaningful expansion of FishMonger's cross-platform capabilities," ESET's research team said. But while the addition of malicious drivers provides advanced stealth for SprySOCKS, Smolár says they don't necessarily indicate a high skill level for the threat actors.
"To me, the number of drivers isn't itself a sophistication signal," he says. "Also, in this case, relying on a leaked certificate that would only work on outdated/misconfigured systems tells me little about the attacker's skill (because why burn a zero-day if the 'cheaper' method works well for the victim?)."
While the initial access vector remains a mystery, ESET released indicators of compromise (IoCs) for defenders, which include file names and the IP address of the malware's hardcoded command-and-control server. Additionally, ESET recommends that enterprise security teams enable hypervisor-protected code integrity (HVCI), a Windows security feature that blocks malicious drivers from loading.
About the Author
Rob Wright
Senior News Director, Dark Reading
Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends.
Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding.
At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
THREAT INTELLIGENCE
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
by Jai Vijayan
MAR 17, 2026
THREAT INTELLIGENCE
Iran's Cyber-Kinetic War Doctrine Takes Shape
by Alexander Culafi
MAR 06, 2026
THREAT INTELLIGENCE
React2Shell Exploits Flood the Internet as Attacks Continue
by Rob Wright
DEC 12, 2025
THREAT INTELLIGENCE
Chinese Gov't Fronts Trick the West to Obtain Cyber Tech
by Nate Nelson, Contributing Writer
OCT 06, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT