ESET Uncovers Windows Variants of Chinese SprySocks Backdoor Used Since 2023
ESET researchers have discovered two undocumented Windows variants of the China-linked SprySocks backdoor, tied to the FishMonger threat actor and iSoon hacking contractor, targeting government organizations across Asia and Central America.
Security researchers at ESET have identified two undocumented Windows variants of the SprySocks backdoor, a malware previously believed to be Linux-only. The variants have been active since 2023 and are linked to the Chinese threat actor tracked as FishMonger (also known as Earth Lusca) and the private hacking contractor iSoon from Chengdu, China. The discovery marks a significant expansion of the threat actor's capabilities, as the Windows variants bring the same espionage-focused functionality to a broader range of target environments.
The newly discovered variants retain the core architecture of the original Linux SprySocks backdoor, including its command-and-control message format, encryption keys and algorithms, and the HP-Socket network communication framework. However, they introduce Windows-native mechanisms for cross-platform functionality and add significant evasion techniques. The malware supports over 30 C&C functions and uses kernel-level rootkits to hide its network connections, processes, files, and registry keys, making detection far more difficult.
"This backdoor was previously believed to be Linux-only, with no known Windows variant. Our findings demonstrate that Windows variants do exist," said Martin Smolár, senior malware researcher at ESET. The Windows variants support communications over TCP, UDP, and WebSocket protocols, and add new C&C commands for system information collection, process enumeration, service management, and file creation and transfer. The rootkit component also enables TCP traffic diversion, allowing operators to send commands through a random TCP port without exposing the backdoor's real listening port in network traffic.
The campaign primarily targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan. ESET's telemetry also suggests that some attacks may have involved a Unified Extensible Firmware Interface bootkit, indicating the threat actor could be exploiting CVE-2023-24932, a secure boot bypass vulnerability in Windows Boot Manager. This flaw allows attackers to execute untrusted software during the boot process at the firmware level, undermining Secure Boot's protections.
FishMonger is believed to be operated by iSoon, a private hacking contractor from Chengdu, China, that carries out long-term intelligence gathering and data theft. Several iSoon executives were indicted by a U.S. federal court in 2024 for alleged cybercrimes. Smolár noted that whether the legal action affected FishMonger's operations or the newly discovered backdoor variants remains an open question. The only C&C IP address identified in the Windows campaign belonged to the same IP range as a SprySocks delivery server used by FishMonger in 2023, confirming the connection.
The discovery of Windows variants of SprySocks underscores the evolving sophistication of Chinese state-sponsored espionage operations. By expanding their toolset to include Windows-native backdoors with rootkit-based stealth, threat actors like FishMonger can maintain persistent access to high-value government networks while evading traditional security measures. Organizations in targeted regions should prioritize monitoring for indicators of compromise associated with SprySocks and ensure that Secure Boot protections are up to date.
BleepingComputer reports that the Windows SprySOCKS variants were deployed against government organizations in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024. ESET's analysis reveals two variants — WIN_DRV, which uses kernel drivers for rootkit-like stealth, and WIN_PLUS, a leaner backdoor — both offering SOCKS proxy, keystroke logging, and over 30 C2 commands. The WIN_DRV variant also loads a driver signed with a leaked certificate from the GitHub PastDSE project and may incorporate a UEFI bootkit component exploiting CVE-2023-24932, though a direct link to BlackLotus remains unconfirmed.
ESET's latest report, published June 16, 2026, provides deeper technical details on the two Windows variants, WIN_DRV and WIN_PLUS. WIN_DRV uses kernel drivers (RawWNPF and DriverLoader) to conceal network connections, processes, and files, while WIN_PLUS leverages the Windows Print Spooler service for execution. The variants support over 30 commands and communicate over TCP, UDP, and WebSocket protocols, with evidence of deployment between 2023 and 2024 targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. ESET also noted limited indications of a UEFI bootkit possibly exploiting CVE-2023-24932.
The Infosecurity Magazine report corroborates ESET's findings and adds that the Windows variants now incorporate over 30 command-and-control commands and enhanced stealth features, including encrypted configuration files and refined evasion techniques. The article further notes that the cross-platform expansion from Linux to Windows significantly broadens the threat surface for enterprise environments, as the backdoor is used for persistent remote access and data exfiltration by China-linked threat actors.