thehackernews.com web signal

FishMonger Takes SprySOCKS Backdoor to Windows

cybersecurity china ai china-threat ai-security nation-state

Key insights

  • WIN_DRV deploys kernel drivers RawWNPF and DriverLoader to simultaneously hide processes, files, registry keys, and network connections from security tooling.
  • Both Windows variants support over 30 commands and communicate via TCP, UDP, and WebSocket protocols using hardcoded C&C configurations.
  • SprySOCKS was previously documented as Linux-only; WIN_PLUS, first detected July 2024, extends it to Windows via Windows Print Spooler injection into svchost.exe.

Why this matters

Kernel-level evasion techniques like WIN_DRV's driver-based hiding defeat most AI-powered EDR and network detection systems that depend on process and connection visibility, forcing security vendors to rethink detection at a layer below where most tooling operates. FishMonger's operation through commercial contractor i-Soon illustrates how nation-state groups now outsource persistent access campaigns, blurring attribution and complicating response for organizations building or deploying sensitive AI infrastructure in targeted regions. Multi-year dwell time spanning 2023 to 2024 demonstrates that kernel-resident backdoors can survive routine security cycles, a direct calibration point for any organization assessing whether their detection stack would catch advanced persistent threats operating at this layer.

Summary

FishMonger, a China-linked threat group operated via contractor i-Soon, has deployed two undocumented Windows variants of SprySOCKS -- a backdoor previously documented as Linux-only -- against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The more capable variant, WIN_DRV, uses kernel drivers RawWNPF and DriverLoader to hide the backdoor's processes, network connections, files, and registry keys from security tooling. It also diverts TCP traffic to mask its actual listening port. WIN_PLUS takes a separate path, abusing the Windows Print Spooler service to inject into svchost.exe. Essentially: (FishMonger, i-Soon) ran a kernel-level espionage campaign against government targets across Asia and Latin America. - Both variants support over 30 commands including SOCKS proxy initialization, process enumeration, and service management, communicating via TCP, UDP, and WebSocket. - WIN_PLUS was first detected in July 2024; FishMonger operates under the Winnti umbrella and has been active since at least 2021. Kernel-level Windows tooling signals a deliberate investment in persistence designed to outlast endpoint defenses, not just rapid initial compromise.

Potential risks and opportunities

Risks

  • Government networks in Taiwan, Thailand, Pakistan, and Honduras may already host dormant WIN_DRV implants active since 2023 -- detection requires kernel-level forensics that most public-sector SOCs are not equipped to perform.
  • Endpoint detection vendors face mounting pressure to demonstrate kernel-driver visibility after WIN_DRV shows that driver-based evasion can simultaneously conceal connections, processes, files, and registry keys from conventional tooling.
  • Organizations running Windows Print Spooler in default configurations remain exposed to the WIN_PLUS injection chain, extending risk well beyond the original 2023-2024 government target set.

Opportunities

  • Kernel-level detection and driver-visibility vendors gain clear budget justification at government security programs in Taiwan, Thailand, Pakistan, and Honduras following public disclosure of WIN_DRV's capabilities.
  • EDR providers with deep kernel telemetry can use WIN_DRV's documented simultaneous evasion of process, network, file, and registry enumeration as a concrete benchmark for differentiation in government procurement cycles.
  • Threat intelligence firms with Winnti and FishMonger tracking coverage can expand retainer work with governments newly aware of i-Soon's role as a contractor-operated APT operator active since at least 2021.

What we don't know yet

  • Whether WIN_DRV's kernel drivers RawWNPF and DriverLoader were digitally signed and how signing certificates were obtained -- the article identifies the driver names but does not address their signing or certificate provenance.
  • Full scope of targeted organizations beyond the confirmed government networks in Honduras, Taiwan, Thailand, and Pakistan -- the article covers only known deployments through 2024.
  • Current operational status of FishMonger and i-Soon following the group's public exposure -- the article documents past deployments without addressing whether operations have been disrupted or are ongoing.

Originally reported by thehackernews.com

Read the original article →

Original headline: China-Linked FishMonger Group Expands SprySOCKS Backdoor to Windows With Kernel-Level Stealth Drivers That Hide Processes, Network Connections, and Registry Keys