Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called **SprySOCKS**.  "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," **ESET** said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols." ### Enhanced Capabilities and Stealth Like its Linux counterpart, the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations. **WIN_DRV** has also been found to utilize kernel drivers to conceal the malware's network connections, processes, files, and registry keys. In addition, this variant enables TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's actual listening port in the network traffic. ### Attributing the Threat Actor **SprySOCKS** was first publicly documented by **Trend Micro** in September 2023, attributing its use to a China-nexus state-sponsored threat actor known as **Earth Lusca**, which is also tracked by the cybersecurity community under the monikers **Aquatic Panda**, **Bronze University**, **Charcoal Typhoon**, and **RedHotel**. The adversary is assessed to be active since at least 2021 and operated by a Chinese contractor named **i-Soon**. The Slovakian cybersecurity vendor, **ESET**, which has assigned the name **FishMonger** to the threat cluster, has described it as a cyber espionage group that falls under the broader **Winnti** umbrella. In a report published in March 2025, the company linked the hacking group to a global campaign dubbed **Operation FishMedley** targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the U.S. between January and October 2022. **SprySOCKS** is based on a Windows remote access trojan called **Trochilus**, and shares several common traits with **RedLeaves**, a backdoor that also exhibits extensive source code overlaps with **Trochilus**. What's more, the use of **Trochilus** is linked to another Chinese threat actor known as **Webworm**, which, in turn, has tradecraft commonalities with both **FishMonger** and **SixLittleMonkeys**.  ### Technical Deep Dive into Windows Variants The Windows variants are part of version 1.8 of **SprySOCKS**, with the **WIN_DRV** sample using a kernel driver referred to as **RawWNPF** ("KW1B5206BDC1743FP.dat") for advanced stealth, while retaining the functionality present in the Linux variant. The driver is loaded using another encrypted kernel driver named **DriverLoader** ("KX1B5206BDC1743DD.dat"). The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain that drops the **SprySOCKS** backdoor and the driver components. However, it's worth noting that the group has previously exploited N-day security flaws in public-facing **Fortinet**, **GitLab**, **Microsoft Exchange Server**, **Progress Telerik UI**, and **Zimbra** instances to obtain a foothold. "The Windows version retains most of the core architecture of its Linux predecessor — including the C&C protocol, encryption used, and overall command handling logic — while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game," **ESET** researcher Martin Smolár said.  ### Distinct Execution Schemes The **WIN_PLUS** execution scheme, in contrast, adopts a different approach. It leverages the Windows Print Spooler service ("spoolsv.exe") as a starting point to execute a first-stage loader that runs as a print processor. It's designed to inject and run a **SprySOCKS** loader into a newly created "svchost.exe" process to launch the backdoor. Both **WIN_DRV** and **WIN_PLUS** variants of **SprySOCKS** are DLLs that support three channels for C2 communications over TCP, UDP, and WebSocket and run commands issued by the operator on the compromised host. This includes collecting system information, launching an interactive console, enumerating processes, getting C2 communication details, listing all services, initializing a SOCKS proxy, uploading/downloading files, and running existing files. Evidence indicates that the artifacts may have been deployed between 2023 and 2024 in attacks targeting government organizations in Honduras, Taiwan, Thailand, and Pakistan. The **WIN_PLUS** version was first detected in July 2024 on a victim device geolocated to Pakistan. What's more, there are "limited indications" suggesting the involvement of a UEFI bootkit, likely exploiting **CVE-2023-24932** (CVSS score: 6.7), a security feature bypass vulnerability in the Windows Boot Manager that’s famously associated with the **BlackLotus** UEFI bootkit. The security flaw was addressed by **Microsoft** in May 2023. "The discovery of a Windows variant of **SprySOCKS**, previously known as Linux-only backdoor, represents a meaningful expansion of **FishMonger**'s cross-platform capabilities," **ESET** said. "The Windows port retains most of the core architecture of its Linux predecessor – including the C&C protocol, encryption used, and overall command handling logic – while substituting Windows-native mechanisms where required and improving the stealthiness of the backdoor by bringing the kernel drivers to the game."