Cybersecurity researchers have identified two previously undocumented Windows variants of SprySOCKS, a backdoor malware family that was previously believed to operate exclusively on Linux systems. According to findings shared by cybersecurity company ESET, the newly discovered Windows versions, internally labeled WIN_DRV and WIN_PLUS, contain hard coded command and control configurations and support communication through TCP, UDP, and WebSocket protocols. The discovery marks an expansion in the operational capabilities of the malware, which has been linked to a China associated cyber espionage group tracked by multiple cybersecurity organizations. Researchers stated that both Windows variants maintain many of the core functions found in the Linux version, including support for more than 30 commands enabling system information gathering, process monitoring, service management, file system activity, and remote execution capabilities. ESET reported its findings in a detailed analysis shared with cybersecurity publication The Hacker News.
According to ESET, the WIN_DRV variant introduces enhanced stealth mechanisms through the use of kernel drivers capable of concealing network connections, files, registry keys, and active processes from detection systems. Researchers found that the malware uses a kernel driver identified as RawWNPF, deployed through an encrypted driver loader component to strengthen concealment techniques while preserving the broader functionality already observed in Linux deployments. One of the notable features identified in WIN_DRV is TCP traffic diversion, a capability that allows threat operators to communicate with compromised systems through random TCP ports without exposing the malware’s actual listening port within visible network activity. Researchers noted that this functionality may complicate threat detection and forensic investigations by masking communication channels commonly used to identify suspicious behavior. ESET researcher Martin Smolár stated that the Windows adaptation preserves the malware’s core command handling logic, encryption approach, and communication structure while integrating Windows specific methods to improve stealth and persistence.
SprySOCKS was initially documented publicly by Trend Micro in September 2023 and attributed to a China linked threat actor known as Earth Lusca, also tracked under names including Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. Security researchers assess that the group has been active since at least 2021 and may be associated with a Chinese contractor identified as i Soon. ESET refers to the threat cluster as FishMonger and categorizes it within the broader Winnti cyber espionage umbrella. In a report published in March 2025, ESET connected FishMonger to a campaign named Operation FishMedley, which reportedly targeted organizations across Taiwan, Hungary, Turkey, Thailand, France, and United States between January and October 2022. Researchers also observed code similarities between SprySOCKS and Windows remote access trojan Trochilus, as well as RedLeaves malware, indicating shared development patterns and overlapping techniques among several China linked threat operations.
The newly discovered WIN_PLUS variant follows a different execution method compared to WIN_DRV by leveraging Windows Print Spooler service, commonly known as spoolsv.exe, to launch a first stage loader operating as a print processor. The malware then injects a SprySOCKS loader into a newly created svchost.exe process to execute the backdoor. Researchers stated that both variants function as DLLs and support command and control communications through multiple channels while enabling activities such as file uploads and downloads, process enumeration, interactive console execution, service listing, SOCKS proxy initialization, and remote command execution. Evidence reviewed by ESET suggests the malware may have been deployed between 2023 and 2024 in campaigns targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan, with WIN_PLUS reportedly first identified in July 2024 on a victim system geolocated to Pakistan. Researchers also identified limited indicators suggesting possible involvement of a UEFI bootkit exploiting CVE 2023 24932, a Windows Boot Manager security feature bypass vulnerability patched by Microsoft in May 2023. ESET stated that the emergence of Windows based SprySOCKS variants reflects an expansion of FishMonger’s cross platform cyber espionage capabilities.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
