SprySOCKS Backdoor Gets Windows Variants With Kernel-Level Stealth

Security researchers have identified two previously undocumented Windows variants of SprySOCKS, a backdoor that was believed to be Linux-only. The new samples, internally marked WIN_DRV and WIN_PLUS, introduce kernel-level stealth mechanisms that hide network connections, processes, and registry keys from standard system tools.

The Windows expansion signals that FishMonger—the China-nexus APT group operating under the broader Winnti umbrella—is investing in cross-platform capabilities to target a wider range of government and research organizations.

Two Windows Variants, Different Stealth Approaches

Both WIN_DRV and WIN_PLUS are part of SprySOCKS version 1.8 and share the same core functionality as the original Linux implant. The difference lies in how they achieve persistence and evade detection.

WIN_DRV uses a kernel driver called RawWNPF (delivered as KW1B5206BDC1743FP.dat) that operates below the operating system to conceal malicious activity. According to analysis from The Hacker News, the driver can:

• Hide network connections from netstat and similar tools
• Conceal malicious processes from Task Manager and process explorers
• Mask registry keys and file system entries
• Divert TCP traffic to enable command delivery through random ports

WIN_PLUS takes a different approach, exploiting the Windows Print Spooler service (spoolsv.exe) for persistence. The malware installs itself as a print processor, then injects into svchost.exe to launch the backdoor—a technique that blends with legitimate system activity.

Attack Chain

The WIN_DRV infection chain begins with a batch script that creates and executes a scheduled task. This triggers a DLL side-loading sequence that drops both the SprySOCKS backdoor and its kernel driver components.

The attackers exploit known vulnerabilities in externally-facing systems for initial access. Previous FishMonger campaigns have targeted N-day flaws in Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra—a pattern consistent with other Chinese APT operations that weaponize patch gaps.

Evidence suggests the WIN_PLUS variant may leverage CVE-2023-24932, a UEFI bootkit vulnerability, for even deeper persistence that survives operating system reinstalls.

Capabilities

SprySOCKS supports more than 30 commands, including:

1. System information collection and process enumeration
2. Service management and file system operations
3. Interactive console access
4. SOCKS proxy initialization for network pivoting
5. File upload and download
6. Execution of files already on the compromised host

Communication occurs via TCP, UDP, and WebSocket protocols with hardcoded C2 configurations. The multi-protocol approach provides redundancy—if one channel gets blocked, the malware can fall back to alternatives.

Attribution and Targeting

The backdoor is attributed to FishMonger, a group also tracked as Earth Lusca, Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. Google's Mandiant unit assesses the group "is operated by a Chinese contractor named i-Soon," a private company that conducts offensive cyber operations on behalf of Chinese intelligence services.

Evidence indicates deployment between 2023 and 2024 targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. The WIN_PLUS variant was first detected in July 2024 in Pakistan, suggesting ongoing operations against South Asian government networks. The targeting of Taiwan aligns with ongoing Chinese espionage campaigns we've tracked throughout 2026.

Why This Matters

The jump from Linux to Windows dramatically expands SprySOCKS' potential target surface. While the original Linux variant was effective against servers running the operating system—a common choice for web-facing infrastructure—the Windows variants can compromise corporate workstations, domain controllers, and enterprise endpoints.

The kernel driver approach is particularly concerning. Security tools that rely on Windows APIs to enumerate processes and network connections will miss activity hidden by RawWNPF. Detection requires kernel-level visibility or analysis of raw network traffic at the perimeter.

Organizations should monitor for unsigned drivers being loaded, especially those with obfuscated names. Endpoint detection tools should be configured to alert on Print Spooler modifications outside of legitimate printer driver installations.

For defenders tracking Chinese APT activity, SprySOCKS' Windows expansion follows a broader trend of cross-platform malware development that reduces operational friction for threat actors targeting heterogeneous environments. Assume that Linux-focused implants will eventually gain Windows siblings.

Network traffic analysis remains valuable for detecting these implants. While the kernel driver hides local indicators, C2 communications still traverse the network. Organizations with mature detection capabilities should develop signatures for SprySOCKS' distinctive WebSocket and UDP beacon patterns.