FishMonger Expands SprySOCKS Backdoor Hackers From
The Chinese cyberespionage group known as FishMonger has significantly expanded its operational capabilities, bringing its advanced SprySOCKS backdoor to Windows systems. This development marks a...
The Chinese cyberespionage group known as FishMonger has significantly expanded its operational capabilities, bringing its advanced SprySOCKS backdoor to Windows systems. This development marks a major escalation, as the malware, previously observed targeting Linux, now features advanced stealth capabilities for a broader range of attacks. A detailed analysis of this expanded threat is available in a recent report on the <
The threat actor, tracked as FishMonger, has brought its SprySOCKS backdoor to Windows for the first time, after years of deploying it exclusively on Linux.
This upgrade signals the group is broadening its reach and is now capable of targeting a much wider range of victims around the world.
SprySOCKS first appeared in September 2023, when Trend Micro documented a Linux variant actively used in espionage campaigns.
The backdoor was built on top of an open-source Windows remote access tool called Trochilus, with enough modifications to be treated as a distinct, purpose-built threat. At that time, it was mainly linked to attacks against government organizations across Asia.
Analysts at WeLiveSecurity identified two previously undocumented Windows variants of SprySOCKS, tracked internally as WIN_DRV and WIN_PLUS.
According to Welivesecurity report shared with Cyber Security News (CSN), ESET telemetry shows confirmed activity between 2023 and 2024, with victims in Honduras, Taiwan, Thailand, and Pakistan, mostly government entities.
Initial samples were uploaded to VirusTotal in April 2024 under the archive name klelam00007.zip. FishMonger is believed to be operated by a Chinese contractor named I-SOON, falling under the broader Winnti Group umbrella.
The group previously targeted universities in Hong Kong during 2019 civil protests and is known for conducting watering-hole attacks.
Their toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.
Both Windows variants implement over 30 C2 commands covering system enumeration, file management, service control, and keylogging.
ESET researchers also noted indications that some attacks may involve a UEFI bootkit component, possibly exploiting CVE-2023-24932, which could allow the malware to survive a complete operating system reinstall.
FishMonger Hackers Expands SprySOCKS Backdoor
The WIN_DRV variant uses a kernel driver called RawWNPF to make the backdoor nearly invisible on a compromised system.
This driver hides the malware’s network connections, processes, files, and registry keys from standard monitoring tools.
Even netstat.exe will not show active backdoor connections because the driver intercepts Windows Filtering Platform calls and strips those entries from any output.
To load the kernel driver without triggering Windows security checks, the attackers used a leaked code-signing certificate from the PastDSE project on GitHub.
Once active, the driver performs TCP traffic diversion, letting attackers send commands through any open TCP port without knowing the exact listening port. This makes it very difficult for network defenders to trace the real destination of suspicious traffic.
The WIN_PLUS variant achieves persistence through DLL side-loading, scheduled tasks, and print processor registry abuse.
Both variants decrypt payloads using 128-bit AES with the hardcoded key uXQLESMXGaRMs6BL and inject the backdoor into a svchost.exe process via process doppelganging.
Chinese-language debug paths in the binaries confirm development in China, with strings suggesting the project was underway as early as April 2023.
Backdoor Capabilities and C2 Communication
Both SprySOCKS variants communicate with their C2 server over TCP, UDP, and WebSocket. The WIN_PLUS version had a hardcoded C2 address of 207.148.78[.]36, operating across all three channels on ports 443, 53, and 80.
The backdoor adds a Windows firewall rule allowing inbound traffic on TCP port 53781, with infrastructure overlapping a delivery server at 207.148.75[.]122 seen in a June 2023 campaign.
The backdoor supports keylogging, clipboard capture, file transfer, SOCKS proxy, and remote shell via cmd.exe.
Keylogging activates only when a specific INI file exists at %appdata%MicrosoftVaultlgf.dat with the key value set to 1, and logged data is saved to lg.dat using single-byte XOR with key 0x44.
Given possible UEFI bootkit involvement, ESET advises organizations to closely monitor FishMonger activity. Public-facing servers must be fully patched, as the group typically exploits N-day vulnerabilities for initial access.
Watching for unusual scheduled tasks, suspicious print processor registry entries, and unexpected DLL files in the Windows Fonts folder can help defenders catch this threat before major damage occurs.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA1 | FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7 | ApphostRagistreationVerifier.exe (legitimate signed executable used for DLL side-loading) |
| SHA256 | 955BFC3DCC867256F9F46A606DEB0779FA3416D8 | KX1B5206BDC1743DD.dat (Win64/SprySOCKS.AEncSpryDrvdriv) |
| SHA256 | 44DC4A08C5EB0972C8E18B0E01284E06F09006BB | bthcam.sys (Win64/Agent.ESBSpryDrvdriv) |
| SHA256 | AB87B29B6F79487C75CA08D102E79001E536F083 | KW1B5206BDC1743FP.dat (Win64/SprySOCKS.AEncSpryRawdriv) |
| SHA256 | 6490B8E4AADE25A3EE2DA9A47F312DB2122470BC | X1B5206BDC1743DD.dat (Win64/SprySOCKS.AEnc container, WIN_DRV variant) |
| SHA256 | E7484C24B88A1A2407A8F09D734F9A993670285B | klelam00007.zip (Win64/Agent.CXZ / SprySOCKS.ABARunner.KS) |
| SHA256 | 621D1952839BE4B0A1B0E66E87BCE5062CA368ED | tpsvcloc.dll (Win64/Agent.CXZ SpryLoad loader) |
| SHA256 | 2457EED2AB28E37741F10914EF929DAD2C8079D4 | VSPMsg.dll (Win64/Agent.CXZ First-stage loader for WIN_PLUS variant) |
| SHA256 | D2C706B1EAF662BF0CE124B5032F73ED84BDA24A | N/A (Win64/SprySOCKS.AWin variant SpryBack) |
| SHA256 | 5F3B87CEF56683D9A9E19186E0FD0D8019B559C4 | N/A (Win64/Agent.CXZ SpryLoad loader) |
| SHA256 | C793CA31E3F6628B5C8986146953BF66232E9A30 | config.dat (Win64/SprySOCKS.AEnc container, WIN_PLUS variant) |
| SHA256 | 037DB2445F3D72388CB2CF8510563148E5A184BE | N/A (BAT Runner.KS for WIN_PLUS variant) |
| IP Address | 207.148.78[.]36 | C2 server (IRT-CHOO-PALLC-AP, MITRE ATT&CK) |
| IP Address | 207.148.75[.]122 | SprySOCKS delivery server, June 2023 (same /20 subnet as C2) |
| File Name | klelam00007.zip | Initial delivery archive uploaded to VirusTotal |
| File Name | klelam00007.bat | Batch script responsible for persistence setup (WIN_DRV variant) |
| File Name | affair-build.bat | Cleanup batch script executed by SprySOCKS loader |
| File Name | tpsvcloc.dll | SprySOCKS backdoor loader DLL |
| File Name | tpsvc.dll | Legitimate signed library loading tpsvcloc.dll |
| File Name | X1B5206BDC1743DD.dat | Encrypted container with SprySOCKS backdoor and next-stage files |
| File Name | KX1B5206BDC1743DD.dat | Encrypted DriverLoader kernel driver |
| File Name | KW1B5206BDC1743FP.dat | Encrypted RawWNPF kernel driver |
| File Name | fsdiskbit.sys | Dropped DriverLoader kernel driver on disk |
| File Name | VSPMsg.dll | First-stage loader DLL for WIN_PLUS variant |
| File Name | config.dat | Encrypted container for WIN_PLUS variant (spooldriverscolor) |
| File Name | ApphostRagistreationVerifier.exe | Renamed legitimate executable used in scheduled task for persistence |
| Registry Key | HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger | Persistence registry key used by WIN_DRV loader |
| Registry Key | HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg | Persistence via print processor (WIN_PLUS variant) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.