SprySOCKS
SprySOCKS is a backdoor malware family first documented as a Linux implant in September 2023 and later observed in previously undocumented Windows variants. It is linked to the China-aligned espionage activity tracked as Earth Lusca and FishMonger, with multiple sources also associating the cluster with contractor I-SOON and the broader Winnti umbrella. Reporting states it was used primarily against government entities, including victims in Honduras, Taiwan, Thailand, and Pakistan during 2023 and 2024; earlier Linux activity was also tied to government departments involved in foreign affairs, technology, and telecommunications, especially across Asia.
The malware is described as derived from the open-source Windows RAT Trochilus, with substantial modifications. For Linux, SprySOCKS uses a loader plus encrypted main payload design, communicates over TCP, and supports capabilities including system information gathering, interactive shell access, SOCKS proxy creation, and file and directory operations. Researchers noted version markers including 1.1 and 1.3.6 in Linux samples, indicating active development.
Windows variants identified by ESET are internally designated WIN_DRV and WIN_PLUS and are reported as SprySOCKS version 1.8. They preserve core architecture from the Linux lineage, including command-and-control logic, message format, encryption, and support for TCP, UDP, and WebSocket communications. The Windows implants implement more than 30 commands covering system enumeration, process and service management, file operations, SOCKS proxying, and keylogging. Reported Windows-specific details include DLL payloads named PrcsServer.dll exporting Stop, creation of the mutex prcs-server-run, AES-128 decryption with the hardcoded key uXQLESMXGaRMs6BL, and injection into svchost.exe via process doppelganging.
WIN_DRV adds kernel-mode stealth through the RawWNPF driver, which hides network connections, processes, files, and registry keys and intercepts Windows Filtering Platform-related activity so userland tools may not reveal active backdoor connections. It also supports TCP traffic diversion, allowing specially crafted traffic sent to any open TCP port to be redirected to the hidden backdoor listener. Reported associated components include DriverLoader and filenames such as KW1B5206BDC1743FP.dat and KX1B5206BDC1743DD.dat. Persistence and execution observed in reporting include scheduled tasks, DLL side-loading, and possible Image File Execution Options abuse. WIN_PLUS is a simpler Windows variant that abuses the Windows Print Spooler service by installing a print processor, with reporting citing VSPMsg.dll and registry persistence under the Print Processors key, and an encrypted container stored at C:\Windows\System32\spool\drivers\color\config.dat.
Some reporting notes limited indications that certain intrusions involving SprySOCKS may also have deployed a UEFI bootkit exploiting CVE-2023-24932 for persistence across OS reinstalls, but this was not confirmed. Published infrastructure and indicators mentioned in the content include the hardcoded WIN_PLUS C2 207.148.78[.]36 on ports 443, 53, and 80, a delivery server at 207.148.75[.]122, archive name klelam00007.zip, and keylogging artifacts %appdata%\Microsoft\Vault\lgf.dat and %appdata%\Microsoft\Vault\lg.dat.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ESET researchers also noted indications that some attacks may involve a UEFI bootkit component, possibly exploiting CVE-2023-24932, which could allow the malware to survive a complete operating system reinstall. | FishMonger has brought its SprySOCKS backdoor to Windows for the first time, after years of deploying it exclusively on Linux. SprySOCKS first appeared in September 2023, when Trend Micro documented a Linux variant actively used in espionage campaigns.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
FishMonger has brought its SprySOCKS backdoor to Windows for the first time, after years of deploying it exclusively on Linux. SprySOCKS first appeared in September 2023, when Trend Micro documented a Linux variant actively used in espionage campaigns.
FishMonger has brought its SprySOCKS backdoor to Windows for the first time, after years of deploying it exclusively on Linux. SprySOCKS first appeared in September 2023, when Trend Micro documented a Linux variant actively used in espionage campaigns.
Researchers found two new Windows variants of the SprySOCKS backdoor, previously known only on Linux. Linked to the Chinese group FishMonger (I-SOON), it active targeted government entities between 2023 and 2024. The variants, WIN_DRV and WIN_PLUS, support over 30 commands across TCP, UDP, and WebSockets. WIN_DRV uses kernel drivers to hide itself and divert network traffic to mask its listening port. Evidence suggests some attacks may have deployed a UEFI bootkit exploiting CVE-2023-24932.
ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger... The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
5 techniques
Execution
The WIN_PLUS variant achieves persistence through DLL side-loading, scheduled tasks, and print processor registry abuse.
The backdoor supports keylogging, clipboard capture, file transfer, SOCKS proxy, and remote shell via cmd.exe.
In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.
Persistence
5 techniques
Persistence
The WIN_PLUS variant achieves persistence through DLL side-loading, scheduled tasks, and print processor registry abuse.
This driver hides the malware’s network connections, processes, files, and registry keys from standard monitoring tools.
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932, the Windows Boot Manager vulnerability associated with BlackLotus.
Privilege Escalation
5 techniques
Privilege Escalation
The WIN_PLUS variant achieves persistence through DLL side-loading, scheduled tasks, and print processor registry abuse.
A first-stage loader runs as a print processor, then injects a SprySOCKS loader into a newly created svchost.exe process to launch the backdoor.
Both variants decrypt payloads using 128-bit AES with the hardcoded key uXQLESMXGaRMs6BL and inject the backdoor into a svchost.exe process via process doppelganging.
Stealth
9 techniques
Stealth
The WIN_DRV variant uses a kernel driver called RawWNPF to make the backdoor nearly invisible on a compromised system. This driver hides the malware’s network connections, processes, files, and registry keys from standard monitoring tools.
Both processes are ones that appear in normal Windows environments constantly, which makes the activity blend into background noise.
A first-stage loader runs as a print processor, then injects a SprySOCKS loader into a newly created svchost.exe process to launch the backdoor.
Both variants decrypt payloads using 128-bit AES with the hardcoded key uXQLESMXGaRMs6BL and inject the backdoor into a svchost.exe process via process doppelganging.
It uses the Windows Print Spooler service, spoolsv.exe , as its starting point... then injects a SprySOCKS loader into a newly created svchost.exe process to launch the backdoor.
ESET found limited indications suggesting the possible use of a UEFI bootkit, potentially exploiting CVE-2023-24932, the Windows Boot Manager vulnerability associated with BlackLotus.
Evidence suggests some attacks may have deployed a UEFI bootkit exploiting CVE-2023-24932.
Defense Impairment
2 techniques
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
Both variants support the same command set: collecting system information, launching an interactive shell, enumerating running processes, listing services
Both variants support the same command set: collecting system information, launching an interactive shell, enumerating running processes
Collection
2 techniques
Collection
Command and Control
7 techniques
Command and Control
Both SprySOCKS variants communicate with their C2 server over TCP, UDP, and WebSocket.
The variants, WIN_DRV and WIN_PLUS, support over 30 commands across TCP, UDP, and WebSockets.
WIN_DRV uses kernel drivers to hide itself and divert network traffic to mask its listening port.
The backdoor supports keylogging, clipboard capture, file transfer, SOCKS proxy, and remote shell via cmd.exe.
Loaded by means of a variant of an ELF injector component known as mandibule, SprySOCKS is equipped to gather system information, start an interactive shell, create and terminate SOCKS proxy, and perform various file and directory operations.
IOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A purpose-built backdoor derived from the open-source Trochilus remote access tool and used in espionage campaigns. The Windows variants support over 30 C2 commands including system enumeration, file management, service control, keylogging, clipboard capture, file transfer, SOCKS proxy, and remote shell. WIN_DRV uses the RawWNPF kernel driver to hide network connections, processes, files, and registry keys, while WIN_PLUS uses DLL side-loading, scheduled tasks, and print processor registry abuse for persistence.
A cross-platform backdoor originally known as Linux-only, now observed in two Windows variants. It supports TCP, UDP, and WebSocket C2 communications and can collect system information, launch an interactive shell, enumerate processes and services, initialize a SOCKS proxy, upload/download files, and execute files. The Windows variants add stealth via kernel drivers and Print Spooler abuse.
A backdoor previously known on Linux that now has Windows variants. It supports more than 30 commands over TCP, UDP, and WebSockets; the WIN_DRV variant uses kernel drivers for stealth and traffic diversion to conceal its listening port.
A cross-platform backdoor with Linux and Windows variants that supports C2 communication over TCP, UDP, and WebSocket and can execute more than 30 commands for system information gathering, process management, and file operations. The WIN_DRV variant uses kernel drivers for stealth to hide network connections, processes, and registry keys, while WIN_PLUS abuses the Windows Print Spooler service to load the backdoor.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.