top of page

China-Linked FishMonger APT Deploys SprySOCKS Windows Backdoor With Kernel-Level Stealth and UEFI Bootkit Capabilities

  • Jun 17
  • 3 min read

Key Findings


  • FishMonger, a China-linked APT group, has ported SprySOCKS backdoor to Windows with two new variants: WIN_DRV and WIN_PLUS

  • WIN_DRV uses kernel drivers to hide network connections, processes, files, and registry keys from user-level detection tools

  • WIN_PLUS exploits the Windows Print Spooler service to blend malicious activity into normal system operations

  • Both variants were deployed against government targets in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024

  • Limited evidence suggests possible use of a UEFI bootkit, potentially exploiting the BlackLotus vulnerability for persistence across OS reinstalls


Background


SprySOCKS was originally documented as a Linux-only backdoor by Trend Micro in September 2023 and attributed to Earth Lusca, a contractor-operated group working for Chinese interests. The group operates under multiple names including Aquatic Panda, Charcoal Typhoon, and RedHotel, with operations dating back to at least 2021. ESET researchers track the same cluster under the FishMonger designation and place it within the broader Winnti umbrella of Chinese state-linked cyber operations.


WIN_DRV Variant: Kernel-Level Stealth


WIN_DRV represents the more technically sophisticated of the two Windows ports. It leverages a kernel driver named RawWNPF stored as KW1B5206BDC1743FP.dat to intercept and hide malware activities from any user-level monitoring tools. A second encrypted kernel driver called DriverLoader handles the loading of RawWNPF.


The deployment chain starts with a batch script dropped through undetermined initial access methods, which creates a scheduled task triggering a DLL side-loading sequence. This multi-stage approach provides operational security at each step. WIN_DRV also implements TCP traffic diversion, creating a stealthy passive backdoor that receives commands through a random TCP port with no revealing network signatures. This approach makes detection through conventional network monitoring extremely difficult.


WIN_PLUS Variant: Print Spooler Exploitation


WIN_PLUS takes a different stealth approach by abusing the Windows Print Spooler service. A first-stage loader runs as a print processor, then injects the SprySOCKS loader into a newly created svchost.exe process. Both of these processes appear constantly in normal Windows environments, allowing the malware to blend seamlessly into typical system activity. WIN_PLUS was first detected in July 2024 on a device in Pakistan.


Shared Capabilities and Command Set


Both Windows variants retain the core architecture of the Linux original, including the same command-and-control protocol, encryption mechanisms, and command handling logic. They support identical command sets including system information collection, interactive shell launch, process enumeration, service listing, SOCKS proxy initialization, file upload and download, and arbitrary file execution.


Targeting and Geographic Scope


Deployment evidence suggests the artifacts were actively used between 2023 and 2024 against government organizations across four countries: Honduras, Taiwan, Thailand, and Pakistan. FishMonger's previous targeting documented in Operation FishMedley extended to Taiwan, Hungary, Turkey, France, and the United States, indicating a sustained focus on government entities globally.


UEFI Bootkit Indicators


ESET discovered limited indications suggesting possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932, the Windows Boot Manager vulnerability associated with BlackLotus. Microsoft patched this vulnerability in May 2023. If confirmed, UEFI-level persistence would allow the malware to survive complete operating system reinstalls, representing a significant escalation in capability and persistence strategy.


Attribution Complexity and Shared Codebase


SprySOCKS derives from Trochilus, a Windows remote access tool that also forms the basis for RedLeaves, another FishMonger-associated backdoor. A third group, Webworm, shares tradecraft with both FishMonger and SixLittleMonkeys while also utilizing Trochilus derivatives. This shared codebase among multiple Chinese state-linked groups complicates attribution and suggests either deliberate code sharing or access to common development frameworks maintained by Chinese contractors.


Sources


  • https://securityaffairs.com/193728/apt/china-linked-fishmonger-ports-sprysocks-to-windows-with-kernel-level-stealth-and-uefi-bootkit-hints.html

  • https://www.linkedin.com/posts/pierluigipaganini_china-linked-fishmonger-ports-sprysocks-to-activity-7472924024663236609-gYOz

  • https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page