Analysis of a China-Linked Espionage Group Expanding Cross-Platform Malware Capabilities
ESET researchers identified previously undocumented Windows variants of the SprySOCKS malware family, a backdoor historically associated with the China-linked cyber espionage group FishMonger. The newly discovered variants, WIN_DRV and WIN_PLUS, introduce enhanced stealth capabilities through kernel drivers, process injection, DLL side-loading, and advanced command-and-control functionality. This development demonstrates a significant evolution in FishMonger’s operational toolkit and highlights the group's continued investment in long-term intelligence collection operations targeting government and strategic organizations.
FishMonger
Earth Lusca
SprySOCKS
High
Espionage
High
FishMonger is a China-linked cyber espionage group operating within the broader Winnti ecosystem. The actor has been associated with multiple aliases including Earth Lusca, Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. The group's historical targeting patterns indicate a focus on strategic intelligence collection against governments, public sector organizations, and institutions of geopolitical interest.
Victim organizations have been observed in Pakistan, Taiwan, Thailand, Honduras, France, Hungary, Turkey, and the United States.
FishMonger activity publicly tracked.
SprySOCKS first documented as a Linux-based backdoor.
Deployment of Windows variants against government targets.
WIN_PLUS variant detected on a victim system in Pakistan.
ESET disclosed new Windows SprySOCKS variants.
SprySOCKS is a modular remote access backdoor supporting more than thirty commands including system reconnaissance, file management, service control, SOCKS proxy functionality, and remote command execution.
WIN_DRV introduces kernel driver support enabling concealment of files, processes, registry keys, and network communications while improving operational stealth.
WIN_PLUS leverages Print Spooler abuse, DLL side-loading, and process injection techniques to establish persistence and execute malicious code.
The exact entry vector remains unknown. Historical FishMonger activity includes exploitation of vulnerable Fortinet, GitLab, Microsoft Exchange, Telerik, and Zimbra systems.
Execution relies on scheduled tasks, scripts, DLL side-loading, and malicious loaders.
Persistence mechanisms include driver-based execution chains, scheduled tasks, and service abuse.
Kernel drivers are used to hide malicious activity from monitoring tools and security products.
Communications are conducted through TCP, UDP, and WebSocket channels using hardcoded command-and-control infrastructure.
| Tactic | Observed Activity |
|---|---|
| Execution | DLL Side-Loading |
| Persistence | Scheduled Tasks |
| Persistence | Driver-Based Execution |
| Defense Evasion | Rootkit Functionality |
| Discovery | Process Enumeration |
| Discovery | System Information Collection |
| Command and Control | WebSocket Communication |
| Command and Control | SOCKS Proxy Support |
The Windows adaptation of SprySOCKS represents a significant capability enhancement for FishMonger. By incorporating kernel-level stealth and Windows-native persistence mechanisms, the actor has increased both survivability and operational effectiveness. Organizations supporting government and strategic functions should prioritize monitoring for driver-based persistence and covert command-and-control communications.