FishMonger’s Strategic Pivot to Windows
The cybersecurity arms race isn't a static affair, and nation-state actors are the ones defining the pace. For years, we’ve tracked the China-nexus threat group FishMonger—also known as Earth Lusca or Aquatic Panda—by their predictable, and highly effective, reliance on Linux backdoors. Their operations targeted government networks with clinical precision, often utilizing the SprySOCKS backdoor. We grew comfortable with this. We built our detection rules around it, assuming that the perimeter was secure because our Linux monitoring was robust.
But that assumption was a crucial tactical error.
Recent intelligence unveiled by ESET researchers has shattered that comfort. FishMonger hasn't just continued their espionage; they’ve fundamentally expanded their infrastructure. They’re no longer limited by the OS constraints they previously operated under. We’re now witnessing the porting of SprySOCKS directly into the Windows environment, and they’ve brought an entirely new category of offensive complexity with them. This isn't a mere re-implementation; it’s an evolution. By integrating kernel-level driver stealth and exploiting long-standing Windows vulnerabilities like the Print Spooler, FishMonger has effectively neutralized many of the legacy detection mechanisms meant to act as a barrier to such incursions. If you’re still basing your security posture on the idea that FishMonger is a Linux-only threat, you’ve already been outpaced. The deployment of SprySOCKS Windows variants demonstrates that their reach is now far deeper, and their footprint, while harder to see, is undeniably present on government networks worldwide.
SprySOCKS Architecture in the Windows Environment
To understand the severity of this shift, consider what SprySOCKS actually is. It’s not just a collection of malicious scripts; it’s a sophisticated, modular command-and-control platform. The core architecture remains largely consistent across both Linux and Windows iterations. We’re talking about a robust command set—more than 30 distinct functions—all designed to give an operator total control over the victim’s machine.
When ESET analyzed the latest, Windows-native version (v1.8), they found that the essential logic remains identical to its Linux predecessor. The C2 protocol, the encryption methods used for communication, and the tactical command set—it’s all there, effectively lifted and shifted into Windows-native services. They’re still communicating over standard protocols like TCP, UDP, or WebSocket to blend in with legitimate traffic, which is a classic, but highly effective, evasion technique. By maintaining this core, the operators don't have to relearn how to manage their implants. The transition for the attacker is seamless. However, for the defender, the move to Windows creates a significant blind spot. The tools we once used to detect the Linux-based SprySOCKS are completely ineffective against these new Windows variants. They’ve essentially reinvented the same threat, but placed it in a new playground where they have the home-field advantage.
WIN_DRV: Mastering Kernel-Level Stealth
The arrival of the WIN_DRV variant represents the most dangerous part of this expansion. It’s a direct attempt to seize control of the Windows kernel, and, frankly, they’re doing it with remarkable sophistication. This isn't user-land malware that can be easily plucked out of the process list.
The implementation involves two encrypted kernel drivers. The first is a loader, specifically identified as DriverLoader (often appearing as KX1B5206BDC1743DD.dat). The loader’s singular, job-critical purpose is to facilitate the injection of the second, far more malevolent driver: RawWNPF (found in KW1B5206BDC1743FP.dat). Once RawWNPF resides in memory, the game changes.
Because this driver operates with the privilege of the kernel, it’s not just influencing system activity; it’s rewriting what the operating system reports. It does this by hooking critical Windows system calls, such as NtQuerySystemInformation. When a security tool, or even an administrator, queries the system to list active processes, RawWNPF intervenes. It checks the output against its own list of hidden elements—the malware’s files, malicious processes, registry keys—and scrubs them from the result before the system shows the user the list.
It’s completely transparent. Imagine searching for a rootkit while that rootkit is actively editing the search results to assure you it isn't there. Furthermore, they’ve added clever TCP traffic diversion, using randomly assigned, ephemeral ports to manage their backdoor connectivity, while leaving the main listener port completely undetectable to standard network scanning. It’s a masterclass in covert persistence and something that standard EDR solutions are often caught flat-footed by.
WIN_PLUS: Weaponizing the Print Spooler
While WIN_DRV is concerned with deep stealth, the WIN_PLUS variant relies on the elegance of weaponizing common, vulnerable Windows infrastructure: the Print Spooler. We’ve seen this strategy time and again—it’s a classic, but its effectiveness remains undiminished.
In this instance, the attackers leverage spoolsv.exe, a service that runs with high privileges and is present on almost every Windows endpoint. The malware acts as a first-stage loader, disguised as a print processor. From this innocuous-looking foundation, it quickly executes a secondary payload, injecting the SprySOCKS loader into a legitimate svchost.exe process.
This is a deliberate camouflage strategy. By nesting the backdoor within a standard Windows process that is expected to have frequent network and disk activity, they make the malware look like mundane system overhead. It’s nearly impossible to distinguish this from the normal noise of an active server. By the time a security team notices the spike in activity or the suspicious communication pattern, the breach has already been fully operational for days, possibly weeks. It’s a calculated, low-tech addition that complements their high-tech, kernel-based tactics perfectly. They are covering all the bases: high-level stealth when necessary, and perfectly blended, common-process abuse when a lighter touch is called for.
Targeting: Global Patterns of Espionage
The targeting profile for these latest campaigns is unmistakable: this is about high-value government intelligence, not criminal financial gain. Throughout 2023 and 2024, the victims have been almost exclusively government entities in Honduras, Taiwan, Thailand, and Pakistan. This geographic distribution is strategic, aligning with known regional interests and diplomatic priorities.
Attribution leads back to the FishMonger group, which operates within the broader context of Chinese contracting entities tied to state interests, most notably I-SOON. The DOJ indictment in March 2025 further highlights the professionalization and government-backed nature of these groups. FishMonger doesn't operate in a vacuum; they’re part of an ecosystem like the Winnti Group, where code, techniques, and infrastructure are openly shared. This constant trade-off and mutation makes tracking them incredibly difficult. They aren't just one group using one set of tools; they’re an integrated node in a national cyber-espionage apparatus, similar to how other China-nexus agencies rely on persistent implants, such as UNC5221's deployment of the Brickstorm backdoor to maintain footholds in target networks. The expansion into Windows is a direct reflection of their mandate to maximize intelligence collection, regardless of the target's operating system environment. They’ve recognized that to be effective, their toolkit must be as versatile as the networks they’re trying to compromise.
Technical Lineage and Continued Evolution
To truly grasp why FishMonger is so hard to stop, you have to look at their past. SprySOCKS did not materialize in a void; it shares significant genetic markers with the Trochilus RAT, and there's clear, detectable code overlap with the RedLeaves backdoor. They are practitioners of a highly refined, agile developmental cycle.
They’re constantly in a state of flux—taking a successful, proven backdoor, tweaking its protocol, re-branding its core loader, and then testing it in a new environment. This constant repurposing makes traditional indicator-based security struggle to keep up. When you look at tools like Webworm, SixLittleMonkeys, and now the Windows-variant of SprySOCKS, you aren't seeing unique tools built from scratch. You’re seeing variations of the same modular ecosystem. They adapt rapidly. The moment one vector is closed (like Linux-based attacks), they switch to another (like Windows kernel drivers). It’s not just about one actor; it’s about a modular capability repository they draw from to keep their collection operational across an incredibly diverse set of targets. Understand this, and you understand their resilience.
Defensive Implications and Recommendations
So, how do we counter this? First and foremost, drop the "Linux-only" label for SprySOCKS. If you’re not actively hunting for these Windows-based indicators, you’re missing the threat entirely.
You need kernel-level visibility. Without it, you are blind to the RawWNPF driver installation, as it will actively lie to any user-level detection tool you throw at it. Monitor heavily for suspicious Windows scheduled tasks and any hint of unauthorized DLL side-loading. Print spooler behavior is a critical alert zone—any unusual activity involving spoolsv.exe and its relationship with svchost.exe should trigger immediate investigation.
Finally, enable Hypervisor-Protected Code Integrity (HVCI) on all Windows endpoints. This is a non-negotiable security feature that can block the loading of unsigned or malicious drivers, which is the cornerstone of their WIN_DRV strategy. In this threat climate, you have to operate from the assumption that the attacker has already breached the perimeter. Assume they’re in, and your task becomes not just prevention, but actively hunting for the subtle footprints they've left behind. The game has changed, and defense has to change with it. Don't wait for the next report to update your detection—start today.