SprySOCKS
SprySOCKS is a backdoor malware family previously documented as Linux malware and later observed in previously undocumented Windows variants named WIN_DRV and WIN_PLUS. ESET attributed the Windows variants with high confidence to the China-linked FishMonger espionage group, also tracked as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10, and assessed FishMonger to be operated by the Chengdu-based contractor i-SOON under the broader Winnti umbrella. Observed activity occurred in 2023 and 2024 and primarily targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan.
The Windows variants retain core elements of the Linux version, including hardcoded command-and-control configuration, message format, encryption keys and algorithms, and the HP-Socket communication framework. They support C2 over TCP, UDP, and WebSocket and implement more than 30 commands for system information collection, process enumeration and control, service management, file management, execution, and SOCKS proxying. Both variants were reported as DLLs with original name PrcsServer.dll, exporting a function named Stop, and creating a mutex named prcs-server-run during initialization.
Reported functionality includes keylogging of keystrokes, clipboard contents, and active window titles when enabled by %appdata%\Microsoft\Vault\lgf.dat. Logged data is stored in %appdata%\Microsoft\Vault\lg.dat and encrypted with single-byte XOR key 0x44.
WIN_DRV adds kernel-level stealth and rootkit-like capabilities. It uses a kernel driver named RawWNPF, loaded via a DriverLoader component, to hide network connections, processes, files, and registry keys, and to divert specially crafted TCP traffic received on any open port to the hidden backdoor port. Reported infection-chain details for WIN_DRV include DLL side-loading via ApphostRagistreationVerifier.exe, tpsvc.dll, and a malicious tpsvcloc.dll loader; AES-128-ECB decryption with hardcoded key uXQLESMXGaRMs6BL; injection into svchost.exe using process doppelgänging; persistence via a scheduled task named ApphostRagistreationVerifier and optionally Image File Execution Options for vds.exe; and loading of the RawWNPF driver from memory. ESET reported the DriverLoader driver was signed with a leaked certificate from the GitHub PastDSE project. A WIN_DRV archive was reportedly uploaded to VirusTotal in April 2024 as klelam00007.zip.
WIN_PLUS was described as a simpler backdoor variant. It used a first-stage loader named VSPMsg.dll installed as a Windows Print Processor under HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg, with an encrypted container stored at C:\Windows\System32\spool\drivers\color\config.dat. ESET reported a hardcoded C2 at 207.148.78[.]36 using ports 443/TCP, 53/UDP, and 80/WebSocket.
The malware family has also been described as based on the open-source Windows RAT Trochilus and as sharing characteristics with RedLeaves. Separate reporting cited code reuse linking SprySOCKS to the broader Winnti lineage, including PWNLNX, RedXOR, AzazelFork, and Melofee. ESET also noted limited indications that some SprySOCKS attack scenarios may have involved a UEFI bootkit component possibly exploiting CVE-2023-24932, although the available information does not establish that element conclusively.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said.
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said.
ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger... The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS.
Techniques & procedures
45 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques
Reconnaissance
Resource Development
1 technique
Resource Development
Execution
4 techniques
Execution
The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain
Persistence
4 techniques
Persistence
The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain
SprySOCKS uses the RawWNPF kernel driver to install packet filters capable of redirecting any inbound TCP traffic to the configured local port if a special magic value is detected in the packet.
registering the %SystemRoot%\Fonts\ApphostRagistreationVerifier.exe application as a debugger for vds.exe by writing the application’s path into the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe\debugger
Privilege Escalation
6 techniques
Privilege Escalation
The attack chain makes use of an as-yet-undetermined initial access pathway to drop a batch script, which then creates and executes a scheduled task responsible for triggering a DLL side-loading chain
It's designed to inject and run a SprySOCKS loader into a newly created "svchost.exe" process to launch the backdoor.
the loader spawns a new svchost.exe process ... and injects the backdoor’s shellcode into the process by using the process doppelgänging technique.
the loader spawns a new svchost.exe process using CreateProcessAsUserW with a token obtained from spoolsv.exe
registering the %SystemRoot%\Fonts\ApphostRagistreationVerifier.exe application as a debugger for vds.exe by writing the application’s path into the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vds.exe\debugger
Stealth
14 techniques
Stealth
SprySOCKS components are stored in an AES-encrypted file on the victim’s drive.
It's designed to inject and run a SprySOCKS loader into a newly created "svchost.exe" process to launch the backdoor.
the loader spawns a new svchost.exe process ... and injects the backdoor’s shellcode into the process by using the process doppelgänging technique.
The SprySOCKS loader removes original files from the deployment directory after copying them and setting up persistence.
SprySOCKS loader removes a service registry value associated with the previously installed malicious minifilter driver after executing the driver.
the loader spawns a new svchost.exe process using CreateProcessAsUserW with a token obtained from spoolsv.exe
SprySOCKS loader decrypts the SprySOCKS backdoor from an encrypted file. Additionally, most of the strings in the SprySOCKS components are encrypted.
SprySOCKS uses the RawWNPF kernel driver to install packet filters capable of redirecting any inbound TCP traffic to the configured local port if a special magic value is detected in the packet.
SprySOCKS uses several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.
WIN_DRV has also been found to utilize kernel drivers to conceal the malware's network connections, processes, files, and registry keys.
WIN_DRV has also been found to utilize kernel drivers to conceal the malware's network connections, processes, files, and registry keys.
Discovery
9 techniques
Discovery
This includes collecting system information, launching an interactive console, enumerating processes, getting C2 communication details, listing all services...
SprySOCKS retrieves the active foreground window name as a part of its keylogging functionality.
the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
the Windows versions support more than 30 commands to facilitate system information collection, process enumeration, service management, and file system operations.
SprySOCKS can collect information about the compromised device, including current system time.
SprySOCKS uses several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.
Collection
2 techniques
Collection
Command and Control
12 techniques
Command and Control
In addition to the TCP communication channel, SprySOCKS can contact its C&C using UDP and WebSocket channels.
Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP, and WebSocket protocols.
the variant enables TCP traffic diversion that allows the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's actual listening port in the network traffic.
SprySOCKS uses nonstandard protocols to communicate with the C&C.
SprySOCKS uses base64 encoding in its custom C&C communication protocol.
SprySOCKS uses the RawWNPF kernel driver to install packet filters capable of redirecting any inbound TCP traffic to the configured local port if a special magic value is detected in the packet.
This includes collecting system information, launching an interactive console... initialising a SOCKS proxy, uploading/downloading files, and running existing files.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cross-platform backdoor originally documented as Linux-only, now observed in Windows variants. It supports more than 30 commands for system information collection, process enumeration, service management, file system operations, interactive console access, SOCKS proxy initialization, file upload/download, and command execution. The WIN_DRV variant uses kernel drivers for stealth and TCP traffic diversion, while WIN_PLUS uses the Windows Print Spooler service and process injection to launch the backdoor.
A cross-platform backdoor originally identified on Linux and now observed in undocumented Windows variants. It provides extensive command-and-control functionality, supports TCP, UDP, and WebSocket communications, and uses a kernel-level rootkit/driver to hide network connections, processes, files, and registry keys while enabling covert command delivery through random TCP ports.
SprySOCKS is a backdoor malware family linked in the content to Earth Lusca/FishMonger. The Windows variants support TCP, UDP, and WebSocket communications, more than 30 C2 commands, system information collection, process and service management, file operations, SOCKS proxying, client/server operation, and logging of keystrokes, clipboard content, and active window titles. The WIN_DRV variant adds kernel-level stealth and rootkit-like capabilities, including hiding processes, network connections, files, and Registry persistence entries, plus TCP traffic diversion to conceal the real listening port.
A cross-platform backdoor used for cyberespionage that supports TCP, UDP, and WebSocket C2, system information collection, process and service management, file operations, SOCKS proxying, keylogging, clipboard capture, and command execution. The WIN_DRV variant adds kernel-driver-based stealth to hide files, processes, registry keys, and network connections, and can divert TCP traffic to a hidden listening port.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.