Key Findings FishMonger, a China-linked APT group, has ported SprySOCKS backdoor to Windows with two new variants: WIN_DRV and WIN_PLUS WIN_DRV uses kernel drivers to hide network connections, processes, files, and registry keys from user-level detection tools WIN_PLUS exploits the Windows Print Spooler service to blend malicious activity into normal system operations Both variants were deployed against government targets in Honduras, Taiwan, Thailand, and Pakistan between 20