China-Linked FishMonger Group Expands SprySOCKS Backdoor to Windows With Kernel-Level Stealth Drivers That Hide Processes, Network Connections, and Registry Keys

ESET researchers disclosed two new Windows variants of SprySOCKS — previously documented as Linux-only — attributed to FishMonger, a China-linked group also tracked as Earth Lusca, Aquatic Panda, Charcoal Typhoon, and RedHotel, reportedly operated by Chinese contractor i-Soon. The WIN_DRV variant uses a signed kernel driver to hide the backdoor's network connections, running processes, files, and registry keys from security tooling and diverts TCP traffic to conceal its listening port, a significantly stealthier capability than process-level evasion. Evidence shows deployment against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024, with the group assessed to have been active since at least 2021.