Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: sprysocks (1 article)Clear

China-linked SprySOCKS backdoor jumps to Windows with kernel-level stealth

ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.

Check
On Windows servers, watch for unexpected kernel drivers and scheduled tasks tied to DLL side-loading, and patch internet-facing Fortinet, Exchange, GitLab, Telerik, and Zimbra systems this group abuses.
Affected
Windows environments at espionage-relevant targets, particularly government organizations; the group gains initial access through unpatched public-facing servers, then uses kernel drivers to stay hidden from defenders' tools.
Fix
Patch and harden internet-facing services, enable driver-signing enforcement and kernel-level monitoring, hunt for the known driver and loader components, and isolate and rebuild any host showing signs of kernel-level tampering.