FishMonger Expands Spy Campaign: SprySOCKS Officially Attacks Windows
Campaign summary
Recently, security researchers discovered a large-scale attack campaign targeting government organizations in Asia (Taiwan, Thailand, Pakistan) and Central America (Honduras), believed to be carried out by the FishMonger APT group (part of the Winnti Group - China ecosystem). This group converted the SprySOCKS backdoor malware from Linux to Windows, significantly increasing the level of persistence and stealth. The latest variant uses a kernel driver to act as a rootkit, abusing Print Spooler, hiding all network activity and establishing a "passive TCP backdoor". In particular, there is evidence that they have begun exploiting the UEFI bootkit (CVE-2023-24932) to maintain permanent control over the target system. The main entry vulnerabilities are unpatched public-facing applications. It is recommended that organizations immediately review the Print Spooler service and update public servers with the latest security patches.
APT FishMonger (I-SOON) Team Analysis
Who is FishMonger?
FishMonger is an Advanced Persistent Threat (APT) group assessed to be linked to China, specializing in conducting cyber espionage campaigns targeting government, diplomatic, telecommunications and technology organizations. This group is known under various names such as Earth Lusca, TAG-22, Aquatic Panda and Red Dev 10.
FishMonger's main goals are to gather strategic intelligence, monitor the activities of target organizations, and maintain long-term access in compromised systems. The group is considered to have a high technical level, continuously developing new tools and applying increasingly sophisticated detection evasion techniques.
Activity history
Period 2012–2018
FishMonger is recorded participating in many cyber espionage campaigns in the Asia-Pacific region. Initial activities mainly focus on:Government agency.
Foreign office.
Policy research organization.
Telecommunications provider.
During this phase, the team mainly used web shells, custom backdoors, and modified open source tools.
Period 2019–2023
The group expanded its scope of activities to: Southeast Asia, South Asia and Latin America.Campaigns began using more home-grown malware to reduce the likelihood of detection and increase persistence in the victim's environment.
This is also the period when tools such as FishProxy, ShadowPad (in some campaigns), and SprySOCKS Linux appeared.
Period 2024–2026
New ESET studies show that FishMonger has successfully developed Windows variants of SprySOCKS.Two notable variations include:
WIN_PLUS
WIN_DRV
In particular, WIN_DRV integrates kernel drivers to deploy rootkit functions, allowing hiding processes, network connections, files and Registry keys.
This is a sign that FishMonger is switching to kernel-level stealth techniques similar to many other nation-level APT groups.
Attack target
FishMonger often targets countries such as Taiwan, Thailand, Pakistan, Philippines, Malaysia, Honduras, Latin American countries and especially Vietnam.
Besides, FishMonger's goals also target many different fields from government agencies: Ministry of Foreign Affairs, Ministry of Defense, State Management Agencies to Telecommunications, technology, research and academia: Network operators, ISPs, Network infrastructure providers.
Techniques used
FishMonger often uses:
Spear-phishing emails.
Watering Hole Attack.
Exploiting vulnerabilities in Internet-facing servers.
Account stolen.
Event timeline
September 2023: Trend Micro published the first report about Earth Lusca (FishMonger) using a new backdoor on Linux, named SprySOCKS.
2023 - Early 2024: FishMonger quietly deployed the SprySOCKS variant on the Windows environment to attack government organizations in many countries.
April 2024: A malicious archive named klelam00007.zip is uploaded to VirusTotal, paving the way for in-depth analysis.
June 2026: ESET Research publishes detailed analysis of two SprySOCKS variants for Windows (WIN_PLUS and WIN_DRV).
Kill Chain & Detailed Technical Analysis
Initial access
FishMonger's familiar tactic is to target public-facing servers. Although the initial vector of this campaign has not been 100% confirmed, ESET telemetry shows that the intrusion occurred through exploiting N-day vulnerabilities on server applications.
After successful infiltration, the malware uses a script (.bat) to copy all executable files to the %SystemRoot%\Fonts system directory to maintain operations and prepare for sideloading.
Maintain access
FishMonger applies different persistence techniques depending on the version:
Create Scheduled Task: Create a fake task named AppHostRagistreationVerifier to run a legitimate, renamed binary file.
Print Spooler abuse (T1543): The malware copies the payload as a printing library (port monitor) and forces spoolsv.exe (the legitimate Windows Print Spooler process) to load the malicious library at startup.
UEFI Bootkit (T1542.003): ESET noted signs that FishMonger exploits the CVE-2023-24932 (Windows Secure Boot bypass) vulnerability to deploy a bootkit at the UEFI layer, ensuring the backdoor can survive after reinstalling the operating system or formatting the hard drive.
As here we can see the attacker has set up persistent access permissions through file.bat. Payload will be run every boot time with SYSTEM privileges. The special thing is that they use the "C:\Windows\Fonts" folder, many types of malware also use system folders like this to hide the Payload because users often rarely check it.
Defense Evasion & DLL Side-Loading
Các tệp hợp lệ bị lợi dụng (như AppHostRegistrationVerifier.exe hoặc lexprsrv.exe) sẽ sideload thư viện libsprysocks.dll – nơi chứa lõi của SprySOCKS backdoor (được tùy biến từ mã nguồn mở Trochilus RAT).
Kernel-level Stealth: WIN_DRV and Passive TCP Backdoor
The most groundbreaking point in this campaign is that FishMonger developed the WIN_DRV version. This version comes with a kernel driver called RawWNPF, which acts as a rootkit with two core features:
Concealed rootkit: Driver hooks deeply into the system to hide processes, files, registry keys and network connections related to the backdoor.
Passive TCP Backdoor: Instead of connecting out (reverse shell) or opening an obvious listening port, WIN_DRV turns any valid TCP port open on the server (eg port 80, 443) into its communication port. When the driver detects a special data structure (magic packet) in the TCP header of the incoming traffic stream, it will secretly "divert" that packet to a random local port on which the backdoor is actually listening. This helps malicious code completely bypass firewalls and normal connection monitoring systems.
Process Injection: Process Doppelgänging
SprySOCKS's execution chain uses Process Doppelgänging (T1055.013) — a sophisticated injection method that abuses NTFS Transactions. SprySOCKS loader decrypts the backdoor from the AES-128 ECB encrypted container (key: uXQLESMXGaRMs6BL), then injects it into the newly created svchost.exe process via Process Doppelgänging. This technique causes the payload to never exist as a regular file on disk, bypassing most EDR solutions based on file scanning.
C2 Communication — Multi-protocol architecture
SprySOCKS backdoor (original DLL: PrcsServer.dll, export function: Stop) builds C&C infrastructure on the open source network library platform HP-Socket and uses the Crypto++ library for cryptographic functions. Backdoor supports both client and server roles across all three protocols: TCP, UDP, and WebSocket.
Embedded C&C configuration (Hardcoded)
C&C configuration is embedded directly in the binary, including:
Maximum 3 IP addresses + port for outbound connection (TCP, UDP, WebSocket client).
Maximum 3 listening ports for inbound connections (TCP, UDP, WebSocket server).
Configuration example from WIN_PLUS variant
TCP Client → 207.148.78[.]36:443
UDP Client → 207.148.78[.]36:53
WebSocket → 207.148.78[.]36:80
TCP Server → Listening port: 53781
Notably, both TCP port 443 and UDP port 53 are common ports (HTTPS and DNS), allowing C&C traffic to blend in with normal network traffic.
C&C protocol format
Each protocol uses a separate magic value in the header to identify legitimate traffic:
| Protocol | Magic Value | Header Location | Header Size |
|---|---|---|---|
| TCP | 0xACACBCBC |
Offset 0x04 |
12 bytes |
| UDP | 0xACACBFBC |
Offset 0x1C |
36 bytes |
| WebSocket | 0x1BDCCBAA |
Masking Key (RFC 6455) | According to the WebSocket standard |
TCP header structure (12 bytes): [CRC32 (4B)] [Magic 0xACACBCBC (4B)] [Data Size (4B)]
After the header is the payload processed through the pipeline: Base64 encode → AES-128 ECB encrypt (key: QFTHEYjzX3RBOMgZ), with a WORD 0x0003 specifying the encryption method. This process ensures that C&C data is always encrypted in transit.
Connection self-protection mechanism
The WIN_DRV variant calls two IOCTLs of the RawWNPF driver before establishing any connection:
IOCTL 0x220340: Hide connections to/from addresses and ports in the configuration from the output of netstat.exe and similar tools.
IOCTL 0x220200: Enables TCP diversion — allowing the backdoor to receive commands through any open TCP port.
The backdoor also manipulates the firewall by deleting and recreating a fake rule named "Core Networking - Packet Too Big(ICMPv6 - In)" to open the listening port:
netsh advfirewall firewall delete rule name="Core Networking - Packet Too Big(ICMPv6 - In)"
netsh advfirewall firewall add rule name="Core Networking - Packet Too Big(ICMPv6 - In)" dir=in action=allow protocol=tcp localport=53781
C&C command table (30+ Commands)
The backdoor receives commands through the __msgid field in the decoded JSON message. The table below lists the full range of supported commands:
| Message ID | Function | ATT&CK Category |
|---|---|---|
0x09 |
Collect system information (hostname, OS, CPU, RAM, network adapters, privileges, language, system time, WIN_DRV/WIN_PLUS version) | Reconnaissance |
0x0A |
Launch an interactive console (cmd.exe) |
Execution |
0x0B |
Write data to the interactive console | Execution |
0x0D |
Terminate the interactive console | Execution |
0x0E |
Establish a backup C2 channel | C2 Management |
0x0F |
Forward C2 messages to another target | C2 Management |
0x11 |
Enumerate all running processes | Discovery |
0x12 |
Enumerate loaded modules for a specified process (PID) | Discovery |
0x13 |
Terminate a process by PID | Impact |
0x14 |
Close all active connections | C2 Management |
0x16 |
Retrieve information about the current C2 channel | C2 Management |
0x17 |
Initialize and enable a new C2 channel (TCP/UDP/WebSocket) | C2 Management |
0x19 |
Uninstall the backdoor and exit | Anti-Forensics |
0x1E |
Enumerate all Windows services | Discovery |
0x1F |
Modify the StartType configuration of a service | Persistence |
0x20 |
Start a service by name | Execution |
0x21 |
Invoke ControlService with custom parameters |
Execution |
0x22 |
Remove a service from the Service Control Manager | Defense Evasion |
0x23 |
Initialize a SOCKS proxy | Lateral Movement |
0x24 |
Stop the SOCKS proxy | Lateral Movement |
0x25 |
Send data through the SOCKS proxy | Lateral Movement |
0x26 |
SOCKS proxy management operations | Lateral Movement |
0x2A |
Upload files from the victim host to the C2 server | Exfiltration |
0x2B |
File transfer support command | Exfiltration |
0x2C |
Download files from the C2 server to the victim host | Ingress Tool Transfer |
0x2D |
File transfer support command | Ingress Tool Transfer |
0x3C |
Enumerate available disk free space | Discovery |
0x3D |
List files within a specified directory | Discovery |
0x3E |
Delete a file | Impact |
0x3F |
Create a directory | File Management |
0x40 |
Rename a file | File Management |
0x41 |
Execute an existing file on the system | Execution |
0x42 |
Copy a file | File Management |
0x43 |
Enumerate files in Windows Recent folders (%APPDATA%\Microsoft\Windows\Recent\ and %APPDATA%\Microsoft\Office\Recent\) |
Collection |
Integrated keylogger
The backdoor integrates a keylogger module, which is activated when the INI file %appdata%\Microsoft\Vault\lgf.dat exists with configuration [config] key=1. When active, keylogger:Tạo mutex Global\{DCAA7ED8-521B-4EAB-BE21-65254CF59239}
Create mutex Global{DCAA7ED8-521B-4EAB-BE21-65254CF59239}
Record keystrokes, clipboard data, and active window titles
SOCKS Proxy
Commands 0x23–0x26 allow setting up a SOCKS proxy directly on the victim machine. This feature allows attackers to use the victim machine as a "pivot point" for lateral movement within the internal network, expanding the scope of intrusion without needing to deploy additional tools on subsequent target machines.
IOC & Artifacts
File Indicators
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
E7484C24B88A1A2407A8F09D734F9A993670285B |
klelam00007.zip |
Win64/Agent.CXZ, Win64/SprySOCKS.A | Archive containing the complete WIN_DRV variant |
6490B8E4AADE25A3EE2DA9A47F312DB2122470BC |
X1B5206BDC1743DD.dat |
Win64/SprySOCKS.A | Encrypted container holding the WIN_DRV backdoor |
955BFC3DCC867256F9F46A606DEB0779FA3416D8 |
KX1B5206BDC1743DD.dat |
Win64/SprySOCKS.A | Encrypted SprySOCKS DriverLoader driver |
AB87B29B6F79487C75CA08D102E79001E536F083 |
KW1B5206BDC1743FP.dat |
Win64/SprySOCKS.A | Encrypted RawWNPF driver |
44DC4A08C5EB0972C8E18B0E01284E06F09006BB |
bthcam.sys |
Win64/Agent.ESB | Decrypted DriverLoader driver |
621D1952839BE4B0A1B0E66E87BCE5062CA368ED |
tpsvcloc.dll |
Win64/Agent.CXZ | SprySOCKS loader (WIN_DRV) |
2457EED2AB28E37741F10914EF929DAD2C8079D4 |
VSPMsg.dll |
Win64/Agent.CXZ | First-stage loader (WIN_PLUS) |
C793CA31E3F6628B5C8986146953BF66232E9A30 |
config.dat |
Win64/SprySOCKS.A | Encrypted container (WIN_PLUS backdoor + loader) |
D2C706B1EAF662BF0CE124B5032F73ED84BDA24A |
N/A | Win64/SprySOCKS.A | Decrypted WIN_PLUS backdoor |
5F3B87CEF56683D9A9E19186E0FD0D8019B559C4 |
N/A | Win64/Agent.CXZ | SprySOCKS loader (WIN_PLUS) |
037DB2445F3D72388CB2CF8510563148E5A184BE |
N/A | BAT/Runner.KS | Persistence batch script (WIN_DRV) |
Network Indicators
207.148.78[.]36 (Vultr cloud hosting, IP range 207.148.64.0/20)
TCP port: 443
UDP port: 53
WebSocket port: 80
207.148.75[.]122 (same IP range, used June 2023)
Host-based Indicators
File Paths (WIN_DRV)
%SystemRoot%\Fonts\ApphostRagistreationVerifier.exe %SystemRoot%\Fonts\tpsvc.dll %SystemRoot%\Fonts\tpsvcloc.dll %SystemRoot%\Fonts\X1B5206BDC1743DD.dat %SystemRoot%\Fonts\KX1B5206BDC1743DD.dat %SystemRoot%\Fonts\KW1B5206BDC1743FP.dat
File Paths (WIN_PLUS)
C:\Windows\System32\spool\drivers\color\config.dat C:\Windows\System32\spool\prtprocs\x64\VSPMsg.dll C:\ProgramData\Microsoft Event\PFs\VSPMsg.dll
Registry Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg
Scheduled Tasks
ApphostRagistreationVerifier
Mutexes
prcs-server-run fqwhi2d1qaz2 Global{DCAA7ED8-521B-4EAB-BE21-65254CF59239}
Keylogger artifacts
%appdata%\Microsoft\Vault\lgf.dat (config file) %appdata%\Microsoft\Vault\lg.dat (captured keystrokes, XOR key 0x44)
Firewall rule giả mạo
"Core Networking - Packet Too Big(ICMPv6 - In)" (cho phép inbound TCP tới port backdoor)
MITRE ATT&CK Mapping
| Tactic | ID | Technique | Description in the Campaign |
|---|---|---|---|
| Reconnaissance | T1592.004 | Gather Victim Host Information: Client Configurations | Collects hostname, OS version, CPU, RAM, privileges, and system language |
| Reconnaissance | T1590.005 | Gather Victim Network Information: IP Addresses | Collects network adapter and IP address information |
| Resource Development | T1587.001 | Develop Capabilities: Malware | FishMonger developed the custom SprySOCKS backdoor |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Interactive cmd.exe shell (Command 0x0A) |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task | Creates the scheduled task ApphostRagistreationVerifier |
| Execution | T1569.002 | System Services: Service Execution | Abuses Windows services for code execution |
| Execution | T1106 | Native API | Uses Windows native APIs directly |
| Persistence | T1547.012 | Boot or Logon Autostart Execution: Print Processors | Installs the loader as a Print Processor (VSPMsg) |
| Privilege Escalation | T1546.012 | Event Triggered Execution: Image File Execution Options Injection | Registers a debugger for vds.exe using IFEO registry keys |
| Defense Evasion | T1205.002 | Traffic Signaling: Socket Filters | RawWNPF driver installs packet filters and redirects traffic when a magic value is detected |
| Defense Evasion | T1134.002 | Access Token Manipulation: Create Process with Token | Uses CreateProcessAsUser with a token obtained from the Print Spooler service |
| Defense Evasion | T1622 | Debugger Evasion | RawWNPF invokes KdDisableDebugger to disable kernel debugging |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | Decrypts the backdoor from AES-encrypted containers |
| Defense Evasion | T1070.004 | Indicator Removal: File Deletion | Deletes original files after copying them and establishing persistence |
| Defense Evasion | T1070.009 | Indicator Removal: Clear Persistence | Removes minifilter driver registry values after loading the driver |
| Defense Evasion | T1027.007 | Obfuscated Files or Information: Dynamic API Resolution | Uses dynamic API resolution across all components |
| Defense Evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | Components are stored on disk in AES-encrypted form |
| Defense Evasion | T1055.013 | Process Injection: Process Doppelgänging | Injects the backdoor into svchost.exe using Process Doppelgänging |
| Defense Evasion | T1014 | Rootkit | RawWNPF hides processes, files, registry entries, and network connections |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | Anti-emulation checks for snxhk.dll, SbieDll.dll, and cmdvrt32.dll |
| Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading | Side-loads SprySOCKS through legitimate executables |
| Defense Impairment | T1562.004 | Disable or Modify System Firewall | Adds firewall rules to allow inbound traffic to the backdoor port |
| Discovery | T1010 | Application Window Discovery | Retrieves the active foreground window title (used by the keylogger) |
| Discovery | T1083 | File and Directory Discovery | Enumerates files and directories (Command 0x3D) |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery | Checks for DLLs associated with security products |
| Discovery | T1082 | System Information Discovery | Performs comprehensive system information collection |
| Discovery | T1614.001 | System Location Discovery: System Language Discovery | Collects the system language setting |
| Discovery | T1007 | System Service Discovery | Enumerates Windows services (Command 0x1E) |
| Discovery | T1124 | System Time Discovery | Collects system time information |
| Collection | T1056.001 | Input Capture: Keylogging | Records keystrokes into lg.dat |
| Collection | T1115 | Clipboard Data | Collects clipboard contents alongside keylogging activities |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding | Uses Base64 encoding within the C2 protocol |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | Encrypts C2 traffic using AES-128 ECB |
| Command and Control | T1008 | Fallback Channels | Supports parallel TCP, UDP, and WebSocket communication channels |
| Command and Control | T1665 | Hide Infrastructure | RawWNPF hides network connections from tools such as netstat.exe |
| Command and Control | T1571 | Non-Standard Port | Uses non-standard ports for C2 communications |
| Command and Control | T1095 | Non-Application Layer Protocol | Implements a custom protocol over TCP and UDP |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Uploads files through the C2 channel (Command 0x2A) |
Nhận định chuyên gia
The migration of SprySOCKS from a Linux to Windows environment accompanied by the adoption of kernel rootkits and UEFI bootkits shows the terrifying maturity of FishMonger's cyber weapon development capabilities in particular and the Chinese APT ecosystem in general.
Applying the "passive TCP backdoor" technique through the RawWNPF kernel driver is an extremely sophisticated step. In fact, for most traditional Firewall or Network Security solutions, traffic entering valid open ports (such as 443 or 80) is considered safe at the Transport layer (L4). Kernel-level traffic shaping techniques help attackers completely bypass port scanning and fool normal firewall rules. Based on experience deploying SOC at large organizations, we have found that solutions that do not analyze deeply at layer 7 (L7 Deep Packet Inspection) or lack integration of network data flow with host data (NDR combined with EDR) will be "completely blind" to this method.
Additionally, the exploitation of Print Spooler as a means of persistence is a clear reminder: Print Spooler is a perennial architectural risk of Windows. Most public-facing servers have no need to use the printing service, but it is still enabled by default.
Recommended
Immediate (0-24h)
Conduct a system review to detect the existence of suspicious folders/files: %SystemRoot%\Fonts\libsprysocks.dll or scheduled task ApphostRagistreationVerifier.
Urgently disable the Print Spooler service on all public-facing Windows servers (such as Web Server, Exchange Server, Domain Controller) if there is no real need for printing.
Immediately update patches for N-day vulnerabilities on applications exposed to the Internet.
Short-term (1-7 days)
Threat Hunting for signs of DLL side-loading by examining unusual associations between legitimate Windows processes and unsigned DLLs.
Update signatures identifying IOCs in the SIEM/EDR system, especially monitoring hook behaviors at the network layer in kernel space.
Long-term
Enable and strictly manage Secure Boot configuration on all physical and virtualized servers to prevent risks from UEFI Bootkits, and apply patches for the vulnerability CVE-2023-24932.
Deploy EDR and NDR combination model to correlate blind spots between Network and Host. In particular, NDR's DPI (Deep Packet Inspection) capability is a mandatory requirement to decrypt passive backdoor techniques such as the WIN_DRV variant.
References
Windows version of SprySOCKS Linux malware used to attack govt orgs
