FishMonger Expands SprySOCKS Malware to Windows with Kernel-Level Stealth

FishMonger Expands SprySOCKS Malware to Windows with Kernel-Level Stealth

First seen 16 Jun 2026, 09:52 UTC BleepingcomputerMarkets.BusinessinsiderInfosecurity-MagazineDarkreadingwww.techtarget.com+7 85% similarity 75.5

Article Content

Browse articles
ThreatCluster

ESET researchers have identified two new Windows variants of the SprySOCKS backdoor, previously exclusive to Linux, attributed to the Chinese cyberespionage group FishMonger. The variants, labeled WIN_DRV and WIN_PLUS, were active between 2023 and 2024 and targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan. The WIN_DRV variant employs kernel drivers for advanced stealth, allowing it to conceal its presence by hiding network connections, processes, and files. Both variants support over 30 command-and-control (C&C) commands and can communicate via TCP, UDP, and WebSocket protocols. There are indications that some attacks may involve a UEFI bootkit component, potentially exploiting CVE-2023-24932. The discovery highlights the evolving capabilities of FishMonger, which has previously targeted various sectors, including education and government. ESET advises organizations to monitor for signs of these new threats.

Key Points: • FishMonger has developed Windows variants of the SprySOCKS backdoor, targeting government entities. • The WIN_DRV variant utilizes kernel drivers for stealth, hiding processes and network activity. • ESET telemetry indicates the malware was active in 2023 and 2024, with potential UEFI bootkit involvement.

ThreatCluster AI

Timeline

2022-01-11
CVE-2022-21894 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2023-05-09
CVE-2023-24932 published
A Secure Boot vulnerability was published, potentially exploitable by malware like SprySOCKS.
Article 1
2024-04-01
SprySOCKS Windows variants discovered on VirusTotal
ESET found the Windows variants WIN_DRV and WIN_PLUS uploaded to VirusTotal, marking a significant development in FishMonger's toolset.
Article 4
2026-06-16
ESET report published on SprySOCKS variants
ESET released a detailed report on the new Windows variants of SprySOCKS, highlighting their capabilities and targets.
Article 1
2026-06-17
Public awareness raised about FishMonger threats
Security experts emphasize the need for vigilance against FishMonger's expanded capabilities and potential UEFI exploits.
Article 8

Community

Browse all →