FishMonger’s SprySOCKS For Windows: A Deep Dive Into The Kernel‑Level Backdoor Redefining Stealth + Video

Introduction

The cyberespionage threat landscape has witnessed a significant escalation with the discovery of Windows variants of SprySOCKS, a backdoor previously exclusive to Linux environments. Operated by the notorious FishMonger group—believed to be a Chinese contractor operating under the I‑SOON umbrella—this upgraded arsenal now weaponizes kernel‑level drivers to achieve unprecedented stealth on compromised Windows systems. Active between 2023 and 2024, with victims spanning government organizations in Honduras, Taiwan, Thailand, and Pakistan, SprySOCKS for Windows represents a paradigm shift in how advanced persistent threats (APTs) can evade detection by hiding processes, network connections, files, and registry keys directly from the kernel.

Learning Objectives

Understand the technical architecture and execution chain of the SprySOCKS WIN_DRV and WIN_PLUS variants.
Master the kernel‑level stealth mechanisms, including process hiding, network traffic diversion, and file system filtering.
Learn to detect and mitigate this advanced backdoor using threat‑hunting techniques, system internals, and defensive commands.

You Should Know

The Evolution of SprySOCKS: From Linux to Windows Kernel

SprySOCKS first emerged in September 2023 as a Linux backdoor used by FishMonger (also tracked as Earth Lusca, TAG‑22, or Aquatic Panda). Its codebase draws from the open‑source Trochilus RAT and shares characteristics with the RedLeaves backdoor, yet it has been sufficiently extended to qualify as a distinct threat. The newly discovered Windows variants—internally labeled WIN_DRV and WIN_PLUS—are version 1.8 of this backdoor and retain the same C&C message format, encryption algorithms (128‑bit AES‑ECB with the hardcoded key uXQLESMXGaRMs6BL), and statically linked HP‑Socket networking library.

What sets WIN_DRV apart is its integration of a kernel driver—RawWNPF—that enables advanced stealth capabilities far beyond those of a typical user‑mode backdoor. The driver is loaded via a multi‑stage execution chain that begins with a batch script (klelam00007.bat) that copies files to `%SystemRoot%\Fonts` and creates a scheduled task named `ApphostRagistreationVerifier` to run with SYSTEM privileges on every system start. This leverages DLL side‑loading through a legitimate ThinPrint executable, which loads a malicious DLL (tpsvcloc.dll) that ultimately decrypts and executes the backdoor payload.

Step‑by‑Step Execution Chain of WIN_DRV

Initial Deployment: The attacker places all files in a working directory and executes klelam00007.bat.
Persistence Setup: The batch script copies files to `%SystemRoot%\Fonts` and creates a scheduled task pointing to ApphostRagistreationVerifier.exe.
DLL Side‑Loading: The legitimate signed executable loads tpsvc.dll, which in turn loads the malicious `tpsvcloc.dll` (the SprySOCKS loader).
Loader Execution: The loader checks for virtual environments and security products (looking for snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, and SbieDll.dll). It then decrypts the encrypted container `X1B5206BDC1743DD.dat` using AES‑ECB.
Payload Injection: The loader spawns `svchost.exe` via `CreateProcessAsUserW` with a token from `spoolsv.exe` and injects the backdoor shellcode using process doppelgänging.
Driver Loading: The loader decrypts `KX1B5206BDC1743DD.dat` to obtain DriverLoader, saves it as C:\Windows\System32\drivers\fsdiskbit.sys, creates a service registry key (msidiskserver), and loads it via NtLoadDriver.
RawWNPF Activation: DriverLoader reads and decrypts `KW1B5206BDC1743FP.dat` to obtain RawWNPF, then manually maps and executes this kernel driver in memory.

2. Kernel‑Level Stealth: The RawWNPF Driver Arsenal

The RawWNPF driver is the crown jewel of the WIN_DRV variant, providing a suite of IOCTL‑based controls that enable the backdoor to operate invisibly. It hooks core Windows kernel functions to hide malicious artifacts from both user‑mode and kernel‑mode inspection tools.

Process Hiding

The driver hooks the `NtQuerySystemInformation` system call—specifically when `SystemProcessInformation` is requested—and removes any process IDs listed in its hidden processes table from the output. This technique, heavily based on the InfinityHookPro project, ensures that the backdoor’s process does not appear in Task Manager or process‑listing tools. The driver manages this list via IOCTLs:

0x220350: Insert a PID into the hidden processes list.
0x220354: Remove a PID from the hidden processes list.
0x220358: Wipe the entire hidden processes list.
0x22035C: Read the hidden processes list.

Network Connection Hiding and Traffic Diversion

The driver hides active network connections by hooking the `IoCompletionRoutine` for IOCTL `0x12001B` inside the `nsiproxy.sys` driver—the component responsible for returning the list of active connections to tools like netstat.exe. Connections matching configured IP addresses, ports, or both are simply omitted from the results.

More impressively, the driver implements TCP traffic diversion using Windows Filtering Platform (WFP). It registers packet filter objects at multiple layers (Inbound IP Packet v4, Outbound IP Packet v4, ALE Connect, ALE Listen, ALE Receive/Accept, and ALE ResourceAssignment). When a received TCP packet contains specially crafted data, the driver diverts that traffic to the backdoor’s hidden listening port—regardless of which port the packet was originally sent to. This means the attacker can send commands to any open port on the victim’s machine, and the driver will silently redirect those packets to the backdoor without revealing the true destination port, even to network analysis tools like Wireshark.

File and Registry Hiding

The driver registers itself as a minifilter driver and installs callbacks to hide specific files and registry keys. For files, it hooks `IRP_MJ_CREATE` to return `STATUS_NO_SUCH_FILE` when any protected file is accessed, and hooks `IRP_MJ_DIRECTORY_CONTROL` to filter out protected entries from directory listings. The hardcoded protected file list includes:

– `\SystemRoot\Fonts\tpsvc.dll`
– `\SystemRoot\Fonts\tpsvcloc.dll`
– `\SystemRoot\Fonts\ApphostRagistreationVerifier.exe`
– `\SystemRoot\Fonts\X1B5206BDC1743DD.dat`
– `\SystemRoot\Fonts\KX1B5206BDC1743DD.dat`
– `\SystemRoot\Fonts\KW1B5206BDC1743FP.dat`

For registry persistence, the driver calls `CmRegisterCallbackEx` to filter out any attempts to open or enumerate HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe—the key used to maintain the backdoor’s debugger‑based persistence.

3. Persistence and Evasion Techniques: Beyond the Driver

Both WIN_DRV and WIN_PLUS employ a combination of persistence mechanisms that go beyond simple scheduled tasks.

WIN_DRV Persistence

Scheduled Task: `ApphostRagistreationVerifier` runs at system start with SYSTEM privileges.
Image File Execution Options (IFEO) Debugger: The loader writes `%SystemRoot%\Fonts\ApphostRagistreationVerifier.exe` as the debugger for `vds.exe` under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe\debugger. When `vds.exe` is launched (which occurs automatically on system start), Windows executes the debugger application instead.
Self‑Cleaning: The loader executes `affair-build.bat` to delete deployment artifacts and restart the `vds` service, ensuring the backdoor runs from %SystemRoot%\Fonts.

WIN_PLUS Persistence

Print Processor: The first‑stage loader registers itself as a print processor under HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg, with the `Driver` value set to VSPMsg.dll. The print spooler service (spoolsv.exe) loads this DLL automatically.
Self‑Cleaning: Similar to WIN_DRV, it drops `affair-build.bat` to remove deployment files and restart the print spooler.

Virtual Environment and Sandbox Evasion

The SprySOCKS loader checks for the presence of specific libraries associated with sandbox environments (snxhk.dll, SxWrapper.dll, SxIn.dll, SXIn64.dll, and SbieDll.dll) and exits if any are found. The WIN_PLUS first‑stage loader also verifies that it is being executed by `spoolsv.exe` before proceeding, thwarting automated analysis that does not simulate the print spooler context.

4. C&C Communication and Backdoor Functionality

The SprySOCKS backdoor supports over 30 C&C commands covering system information collection, process enumeration, service management, and file operations (listing, creating, deleting, and transferring files). Communication can occur over TCP, UDP, or WebSocket protocols, with the networking logic built on the HP‑Socket framework.

C&C Configuration

The configuration is hardcoded in the binary and can specify up to three C&C addresses (one per protocol) and up to three listening ports (one per protocol). For example, the WIN_PLUS variant discovered contained:

TCP C&C: `207.148.78[.]36:443`
– UDP C&C: `207.148.78[.]36:53`
– WebSocket C&C: `207.148.78[.]36:80`
– Listening port: `53781`

In the WIN_DRV variant found on VirusTotal, the C&C configuration was empty, so the backdoor acts as a passive TCP server on a random port, relying on the RawWNPF driver to divert traffic to it.

Firewall Manipulation

Both variants execute `netsh.exe` to manipulate the Windows firewall:

netsh advfirewall firewall delete rule name="Core Networking - Packet Too Big(ICMPv6 - In)"
netsh advfirewall firewall add rule name="Core Networking - Packet Too Big(ICMPv6 - In)" dir=in action=allow protocol=tcp localport=53781

The first command deletes an existing rule (if present), and the second adds a new rule with the same name to allow inbound TCP traffic on the backdoor’s listening port.

Keylogging Capability

The backdoor activates a keylogger only if an INI file exists at `%appdata%\Microsoft\Vault\lgf.dat` with a `key=1` configuration. When active, it logs clipboard data, active window titles, and keystrokes into %appdata%\Microsoft\Vault\lg.dat, encrypting the data with a single‑byte XOR cipher using key 0x44.

5. Detection and Mitigation Strategies

Given the kernel‑level stealth of the WIN_DRV variant, traditional endpoint detection and response (EDR) tools may struggle to detect this threat. However, a combination of memory forensics, kernel‑mode inspection, and network analysis can reveal its presence.

Memory Forensics

Use Volatility or Rekall to analyze memory dumps for hidden processes. Look for `svchost.exe` processes with anomalous memory regions or injected shellcode.
Scan for the mutex names `prcs-server-run` and Global\{DCAA7ED8-521B-4EAB-BE21-65254CF59239}.

Kernel‑Mode Inspection

Use kernel debugging tools (WinDbg) to enumerate loaded drivers and look for `fsdiskbit.sys` or `RawWNPF` (which may be loaded without a corresponding registry entry).
Check for the device object \Device\RawWNPF.
Examine the WFP filter objects for the GUIDs and callout names listed in Table 2 of the ESET report.

File System and Registry Checks

Look for the presence of the protected files in %SystemRoot%\Fonts:
tpsvc.dll, tpsvcloc.dll, ApphostRagistreationVerifier.exe, X1B5206BDC1743DD.dat, KX1B5206BDC1743DD.dat, `KW1B5206BDC1743FP.dat`
– Check for the scheduled task ApphostRagistreationVerifier.
Examine the IFEO key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe\debugger.
For WIN_PLUS, check the print processor key: `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg` and the file C:\Windows\System32\spool\prtprocs\x64\VSPMsg.dll.

Network Analysis

Monitor for anomalous traffic to `207.148.78[.]36` on ports 53, 80, and 443.
Use Wireshark to inspect packets for the specially crafted data that triggers traffic diversion; although the destination port is hidden, the presence of such packets may indicate compromise.
Look for `netsh.exe` executions that modify firewall rules with the name “Core Networking – Packet Too Big(ICMPv6 – In)”.

Recommended Hunting Commands (PowerShell and CMD)

 Check for suspicious files in Fonts directory
Get-ChildItem -Path C:\Windows\Fonts -Filter .dat | Where-Object { $_.Name -match "B5206BDC1743" }

List scheduled tasks with suspicious names
Get-ScheduledTask | Where-Object { $_.TaskName -match "ApphostRagistreationVerifier" }

Check IFEO debugger for vds.exe
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe" -1ame debugger -ErrorAction SilentlyContinue

Check for VSPMsg print processor
Get-ItemProperty -Path "HKLM:\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg" -1ame Driver -ErrorAction SilentlyContinue

List all kernel drivers and filter for suspicious names
Get-WindowsDriver -Online | Where-Object { $_.OriginalFileName -match "fsdiskbit|RawWNPF" }

Check for WFP filters with suspicious GUIDs
 (Requires elevated privileges and the 'netsh' command)
netsh wfp show filters | findstr "E980088D-BE44-4057-8E5C-C7FDF8968795"
netsh wfp show filters | findstr "33F76397-DBCB-445E-8EC3-AA51ED302D15"

Linux Commands for Cross‑Platform Threat Hunting (if analyzing C2 infrastructure)

 Check for connections to known FishMonger C2 IPs
grep "207.148.78.36" /var/log/

Analyze PCAPs for diversion patterns
tshark -r capture.pcap -Y "ip.dst == 207.148.78.36 && (tcp.port == 53 || tcp.port == 80 || tcp.port == 443)"

6. Defensive Hardening and Mitigation

Enforce Driver Signature Enforcement (DSE): Ensure that DSE is enabled and that only trusted certificates are allowed to load kernel drivers. The attackers used a leaked certificate from the PastDSE repository, highlighting the need for robust certificate revocation lists.
Restrict Print Spooler Service: Disable the print spooler on systems that do not require printing functionality, or restrict the execution of print processors to trusted modules.
Application Whitelisting: Use AppLocker or Windows Defender Application Control to block execution of unsigned or untrusted binaries, particularly from `%SystemRoot%\Fonts` and %SystemRoot%\System32\spool\drivers\color.
Network Segmentation: Isolate critical government and enterprise systems from direct internet exposure, and implement egress filtering to block connections to known malicious IPs.
Enable Windows Defender Credential Guard and Hypervisor‑Protected Code Integrity (HVCI): These features can prevent kernel‑mode code injection and restrict the loading of unsigned drivers.
Regular Vulnerability Patching: The attackers likely gained initial access through misconfigured or unpatched public‑facing servers. Prioritize patching server‑based vulnerabilities, including CVE‑2023‑24932 (a UEFI bootkit vulnerability mentioned in the ESET report).

What Undercode Say

Kernel‑Level Stealth is the New Normal: The RawWNPF driver demonstrates that APT groups are increasingly moving to kernel‑mode components to defeat EDR and traditional antivirus. Defenders must adopt kernel‑aware threat‑hunting tools and memory forensics.
Supply Chain and Open‑Source Abuse: The reuse of open‑source projects like HP‑Socket, Crypto++, and InfinityHookPro underscores how adversaries leverage publicly available code to accelerate development. The security community must monitor these projects for abuse and integrate detection signatures.
Geopolitical Targeting: The concentration of victims in government organizations across Honduras, Taiwan, Thailand, and Pakistan reflects FishMonger’s strategic espionage objectives. Organizations in these regions should prioritize defensive measures against this specific threat actor.
Passive Backdoor Design: The empty C&C configuration in the WIN_DRV variant indicates a shift toward passive, listener‑based backdoors that are harder to detect via outbound network monitoring. Defenders must also monitor for anomalous inbound traffic and packet‑diversion techniques.
Multi‑Stage Execution Chains: The complexity of the execution chain—involving batch scripts, scheduled tasks, DLL side‑loading, process doppelgänging, and kernel driver loading—requires defenders to analyze each stage for indicators of compromise rather than relying solely on file‑based signatures.

Prediction

+1 The disclosure of SprySOCKS for Windows will drive significant improvements in kernel‑mode threat detection, prompting EDR vendors to enhance their visibility into driver‑level activities and WFP filter objects.
-1 FishMonger and other APT groups will likely adapt by developing even more sophisticated kernel‑mode rootkits that leverage Bring Your Own Vulnerable Driver (BYOVD) techniques or abuse legitimate signed drivers to bypass DSE.
-1 The use of passive, listener‑based backdoors with traffic diversion will become more prevalent, making it increasingly difficult for network security teams to detect C&C communication without deep packet inspection and behavioral analysis.
+1 The security community will respond with open‑source tools and detection rules specifically targeting the RawWNPF driver’s IOCTLs, WFP filters, and file‑hiding techniques, empowering blue teams to hunt for this threat more effectively.
-1 Organizations that fail to implement rigorous application whitelisting, driver signature enforcement, and print spooler restrictions will remain vulnerable to this and similar advanced threats, potentially leading to significant data breaches in government and critical infrastructure sectors.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Aleborges Informationsecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Listen to this Post