Listen to this Post

Introduction:
The cyber espionage landscape has witnessed a seismic shift as the China-linked SprySOCKS backdoor—previously confined to Linux environments—has now evolved into a sophisticated Windows threat. Discovered by ESET researchers in June 2026, two undocumented Windows variants (WIN_DRV and WIN_PLUS) have been actively deployed between 2023 and 2024 against government organizations across Honduras, Taiwan, Thailand, and Pakistan. What makes this development particularly alarming is the WIN_DRV variant’s employment of kernel-level drivers that provide rootkit-like stealth capabilities, enabling the malware to hide processes, files, registry keys, and network connections while implementing TCP traffic diversion to evade traditional security monitoring.
Learning Objectives:
- Understand the technical architecture and operational capabilities of the SprySOCKS Windows variants
- Master detection techniques for kernel-level rootkits and passive TCP backdoors
- Implement effective mitigation strategies against advanced persistent threat (APT) espionage tools
You Should Know:
- Understanding SprySOCKS: From Linux-Only to Cross-Platform Espionage Arsenal
SprySOCKS was first publicly documented by Trend Micro in September 2023 as a Linux-only backdoor attributed to Earth Lusca (also tracked as FishMonger, Aquatic Panda, TAG-22, and Red Dev 10). The threat group operates under the broader Winnti umbrella and is believed to be run by a Chinese contractor named I-SOON from Chengdu. The Windows versions represent version 1.8 of SprySOCKS, retaining most of the core architecture—including the C&C protocol, encryption methods, and command-handling logic—while substituting Windows-1ative mechanisms and significantly enhancing stealth through kernel drivers.
What makes this cross-platform expansion particularly concerning is the backdoor’s foundation: SprySOCKS is built upon a Windows remote access trojan called Trochilus and shares extensive source code overlaps with RedLeaves, another backdoor linked to Chinese threat actors. This indicates a mature, well-funded development pipeline capable of rapid adaptation across operating systems.
Step-by-Step Analysis of SprySOCKS Architecture:
- Initial Compromise Vector: The exact delivery mechanism remains under investigation, but ESET telemetry suggests targeted spear-phishing or watering-hole attacks against government entities.
-
Payload Execution: Upon execution, the malware loads either the WIN_DRV or WIN_PLUS variant. Both embed hard-coded C&C configurations and support TCP, UDP, and WebSocket protocols.
-
Kernel Driver Deployment (WIN_DRV Only): The WIN_DRV sample uses a kernel driver referred to as RawWNPF (“KW1B5206BDC1743FP.dat”) loaded via another driver named DriverLoader (fsdiskbit.sys), which is signed using a leaked certificate from the GitHub PastDSE project.
-
Rootkit Activation: The kernel driver manipulates Windows APIs at the kernel level to hide malicious processes, network connections, files, and registry keys from user-mode security tools.
-
TCP Traffic Diversion: A specialized driver inspects incoming TCP packets and redirects specially crafted data to the backdoor’s hidden port, enabling C2 communication without exposing a listening port to network scanners.
Linux Command to Detect Suspicious Kernel Modules:
List all loaded kernel modules and check for anomalies
lsmod | grep -v "^Module" | awk '{print $1}' | while read mod; do
modinfo $mod 2>/dev/null | grep -E "filename|description|author"
done
Check for unsigned or suspicious kernel modules
dmesg | grep -i "module" | grep -i "unsigned"
Monitor for unauthorized kernel module loading
auditctl -w /lib/modules/ -p wa -k kernel_module_load
Windows PowerShell Commands for Rootkit Detection:
List all running drivers with their paths
Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Date, Version
Check for unsigned drivers (requires admin privileges)
Get-SignedDriver | Where-Object {$_.IsSigned -eq $false}
Monitor driver load events via Event Log
Get-WinEvent -LogName "System" | Where-Object {$_.Id -eq 7045} | Select-Object TimeCreated, Message
Enumerate hidden processes using direct NT API calls
Get-Process | Where-Object {$<em>.MainWindowTitle -eq "" -and $</em>.ProcessName -match "^[a-zA-Z0-9]{8}$"}
- Command and Control Capabilities: Over 30 Malicious Functions
Both Windows variants support an extensive command set exceeding 30 C&C commands, covering comprehensive system manipulation and data exfiltration capabilities. The backdoor can function as both a client and server, providing attackers with remarkable operational flexibility.
Step-by-Step Breakdown of C2 Commands:
- System Information Collection: Commands to enumerate OS version, hardware configuration, installed software, and network settings.
-
Process and Service Management: Ability to list running processes, terminate or create processes, and manage Windows services.
-
File System Operations: Commands to list, create, delete, upload, download, copy, rename, and execute files across the compromised system.
-
Keystroke Logging and Clipboard Monitoring: The malware can log keystrokes, capture clipboard content, and track active window titles for credential theft.
-
SOCKS Proxy Functionality: Enables the attacker to route traffic through the compromised host, obscuring their origin and facilitating lateral movement.
-
Persistence Mechanisms: WIN_DRV achieves persistence via scheduled tasks and Image File Execution Options (IFEO) through vds.exe, while WIN_PLUS registers the payload as a Windows Print Processor (VSPMsg).
Network Traffic Analysis Commands:
Linux: Monitor for suspicious outbound connections
sudo tcpdump -i any -1 'tcp port 443 or tcp port 80' -vv | grep -v "established"
Linux: Check for hidden listening ports
sudo ss -tulpn | grep -v "127.0.0.1" | awk '{print $5}' | cut -d: -f2 | sort -u
Windows: Monitor TCP connections and associated processes
netstat -ano | findstr ESTABLISHED
tasklist /FI "PID eq [bash]"
Windows: Capture network traffic for analysis (requires Wireshark or netsh)
netsh trace start capture=yes protocol=TCP tracefile=C:\temp\capture.etl
netsh trace stop
YARA Rule for SprySOCKS Detection:
rule SprySOCKS_WIN_DRV {
meta:
description = "Detects SprySOCKS Windows WIN_DRV variant"
author = "Security Researcher"
date = "2026-06-16"
reference = "ESET Research"
strings:
$c2_config = "KW1B5206BDC1743FP.dat" wide ascii
$driver_name = "RawWNPF" wide ascii
$loader = "fsdiskbit.sys" wide ascii
$protocol = "WebSocket" wide ascii
$command_set = "SOCKS" wide ascii
condition:
uint16(0) == 0x5A4D and ($c2_config or $driver_name or $loader)
}
3. Kernel-Level Rootkit Analysis: The WIN_DRV Stealth Mechanism
The WIN_DRV variant represents a significant leap in malware sophistication, utilizing kernel drivers to provide rootkit-like capabilities that operate below the operating system’s security layers. This approach allows the malware to remain virtually invisible to conventional endpoint detection and response (EDR) tools.
Step-by-Step Rootkit Functionality Breakdown:
- Process Hiding: The kernel driver intercepts and modifies Windows API calls (such as NtQuerySystemInformation) to filter out malicious processes from enumeration results.
-
File and Registry Concealment: Directory listings and registry queries are manipulated to exclude malware-related artifacts, preventing detection during manual or automated scans.
-
Network Connection Obfuscation: Active network connections are hidden from tools like netstat and TCPView, masking C2 communication channels.
-
TCP Traffic Redirection: The driver inspects incoming TCP packets for specially crafted data patterns and redirects them to the backdoor’s hidden port. This creates a passive TCP backdoor that only responds when triggered by specific packet signatures.
-
Driver Loading via Leaked Certificates: The driver loader (fsdiskbit.sys) is signed using a leaked certificate from the GitHub PastDSE project, bypassing Windows Driver Signature Enforcement.
Advanced Detection Techniques:
Windows: Check for driver signature verification bypass
Get-ChildItem -Path "C:\Windows\System32\drivers" -Recurse |
Get-AuthenticodeSignature | Where-Object {$_.Status -1e "Valid"}
Windows: Detect hidden processes using alternative APIs
$processes = [System.Diagnostics.Process]::GetProcesses()
$psapi = Add-Type -AssemblyName "System.Management" -PassThru
Get-WmiObject -Class Win32_Process | Select-Object Name, ProcessId, ExecutablePath
Windows: Check for rootkit indicators in SSDT hooks
(Requires Kernel Debugging tools)
!sysptes
!idt
!apc
Linux Equivalent Rootkit Detection:
Check for kernel module hooks sudo cat /proc/kallsyms | grep -E "sys_call_table|nt_" Verify system call table integrity (requires custom tool) sudo ./check_syscalls.sh Monitor for hidden kernel modules sudo lsmod | sort | uniq -c | sort -1r sudo dmesg | grep -i "loading module"
- Persistence and Evasion: Scheduled Tasks, IFEO, and Print Processors
The SprySOCKS Windows variants employ multiple persistence mechanisms to ensure survival across system reboots and security scans.
Step-by-Step Persistence Analysis:
1. WIN_DRV Persistence:
- Scheduled Tasks: Creates hidden scheduled tasks that execute the malware at system startup or user logon.
- Image File Execution Options (IFEO): Uses IFEO registry keys (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe) to inject malicious code into legitimate processes.
2. WIN_PLUS Persistence:
- Windows Print Processor Registration: Registers the malicious payload as a print processor (VSPMsg), a legitimate Windows mechanism that executes during print job processing.
- Registry Key Hiding: The kernel driver hides the malware’s persistence registry entries, making them invisible to regedit and standard API calls.
Detection Commands:
Windows: List all scheduled tasks (including hidden)
schtasks /query /fo CSV /v | ConvertFrom-CSV | Select-Object TaskName, "Task To Run", "Run As User"
Windows: Check IFEO registry entries for suspicious debuggers
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -Recurse |
ForEach-Object { Get-ItemProperty $_.PSPath } | Select-Object PSPath, Debugger
Windows: Enumerate print processors
Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors"
Windows: Detect hidden registry keys using direct registry hive parsing
(Requires regshot or similar before/after analysis tool)
Linux Persistence Check Commands:
Check for cron jobs and systemd timers crontab -l sudo systemctl list-timers Check for rc.local and init scripts cat /etc/rc.local ls -la /etc/init.d/ Check for systemd service files ls -la /etc/systemd/system/
5. UEFI Bootkit Concerns and CVE-2023-24932 Exploitation
ESET researchers noted limited indications that some SprySOCKS attack scenarios could involve a UEFI bootkit component, possibly exploiting CVE-2023-24932—a Secure Boot flaw previously used by the BlackLotus UEFI malware. This raises the stakes significantly, as UEFI bootkits operate at the firmware level, persisting even after operating system reinstallation.
Step-by-Step UEFI Bootkit Risk Assessment:
- Secure Boot Bypass: CVE-2023-24932 allows attackers to bypass Secure Boot protections by exploiting a vulnerability in the Windows Boot Manager.
-
Firmware-Level Persistence: A UEFI bootkit would load before the operating system, enabling it to hook critical system functions and maintain stealth.
-
Detection Challenges: Traditional security tools cannot detect UEFI bootkits as they operate outside the OS context.
Mitigation Strategies:
Windows: Check Secure Boot status
Confirm-SecureBootUEFI
Windows: Verify boot configuration
bcdedit /enum all
Windows: Check for unsigned UEFI drivers
Get-SignedDriver | Where-Object {$<em>.BootCritical -eq $true -and $</em>.IsSigned -eq $false}
Windows: Update to patch CVE-2023-24932
Apply Microsoft's optional update and enable the revocation
https://support.microsoft.com/en-us/topic/kb5025885
Linux UEFI Security Commands:
Check Secure Boot status on Linux mokutil --sb-state List UEFI boot entries efibootmgr -v Verify kernel signature for Secure Boot pesign -i /boot/vmlinuz- -S
6. Attribution and Threat Landscape: The FishMonger/Winnti Ecosystem
ESET tracks the threat actor behind SprySOCKS as FishMonger, part of the broader Winnti cyber espionage ecosystem. The group is also known as Earth Lusca, Aquatic Panda, TAG-22, and Red Dev 10. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT, demonstrating a comprehensive offensive capability.
Historical Context:
- 2019: ESET first analyzed FishMonger during attacks targeting Hong Kong universities during civic protests.
- 2020-2022: The group conducted watering-hole attacks and deployed ShadowPad against various targets.
- 2023: SprySOCKS Linux backdoor first documented by Trend Micro.
- 2023-2024: Active deployment of Windows variants against government entities in Honduras, Taiwan, Thailand, and Pakistan.
- 2025: Operation FishMedley campaign targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S..
What Undercode Say:
- Key Takeaway 1: The cross-platform evolution of SprySOCKS from Linux to Windows represents a paradigm shift in APT capabilities, demonstrating that threat actors are actively investing in multi-OS espionage toolkits to maximize their attack surface against diverse enterprise environments.
-
Key Takeaway 2: The integration of kernel-level rootkits with TCP traffic diversion creates an unprecedented stealth capability that renders traditional network and host-based detection methods obsolete, forcing security teams to adopt behavioral analysis and memory forensics.
The most concerning aspect of this development is not merely the technical sophistication but the operational maturity it represents. The use of leaked certificates for driver signing, the implementation of multiple persistence mechanisms, and the potential UEFI bootkit integration indicate a well-resourced adversary capable of sustained, high-stakes espionage operations. Organizations in the government, defense, and technology sectors must immediately review their endpoint security postures, implement robust logging and monitoring, and consider deploying specialized rootkit detection tools. The fact that these variants were active between 2023-2024 and only now discovered underscores the critical need for proactive threat hunting rather than reactive detection.
Prediction:
- +1 The disclosure of SprySOCKS Windows variants will accelerate the development of advanced EDR solutions capable of detecting kernel-level rootkits, driving innovation in the cybersecurity industry.
- -1 This cross-platform expansion signals that APT groups are increasingly adopting modular, reusable codebases, which will lead to faster development cycles and more frequent malware iterations across operating systems.
- -1 The potential UEFI bootkit integration suggests that future attacks may achieve persistence at the firmware level, making them nearly impossible to detect and remove without specialized hardware security measures.
- +1 Increased awareness and public disclosure of these techniques will prompt organizations to implement more rigorous supply chain security and zero-trust architectures.
- -1 Smaller organizations and developing nations lacking advanced security resources will remain disproportionately vulnerable to these sophisticated espionage campaigns.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


