A backdoor used by a China-aligned espionage group has expanded from Linux to Windows, gaining a kernel-level stealth layer that hides it from the tools defenders rely on to spot intrusions.

New analysis from ESET identified two previously undocumented Windows versions of SprySOCKS, a backdoor it attributes to FishMonger, the China-based group widely linked to contractor I-Soon.

Both versions, marked WIN_DRV and WIN_PLUS, ship with hardcoded command-and-control (C2) settings and a broad set of espionage features.

ESET telemetry traced real activity to 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand and Pakistan. SprySOCKS was first documented as a Linux backdoor in 2023.

Hiding in the Kernel

The stealthier of the two, WIN_DRV, leans on a kernel driver that acts as a rootkit, hiding the malware's files, processes, registry keys and network connections so they never show up in tools like netstat.

It also lets operators reach the backdoor without giving themselves away, quietly rerouting traffic from any open port to the backdoor's hidden one when a specific marker appears in the packet and keeping the real destination out of sight.

Read more: FishMonger APT Group Linked to I-Soon in Espionage Campaigns

Both variants reach their operators over three channels, TCP, UDP or WebSocket, and act as client or server. Between them, they support more than 30 commands, spanning:

• System and network reconnaissance

• Process enumeration and termination

• Service creation, control and deletion

• File listing, transfer, deletion and execution

• A built-in SOCKS proxy for tunneling

The backdoor can also log keystrokes and clipboard contents when switched on, and quietly adds a Windows firewall rule to let its traffic through.

Part of a Wider Espionage Toolkit

FishMonger, also tracked as Earth Lusca and Aquatic Panda, sits under the Winnti umbrella and is believed to run out of Chengdu, China.

Its toolkit already spanned ShadowPad, Cobalt Strike and the Biopass RAT, and the group is believed to be operated by Chinese contractor I-Soon, whose employees were indicted in the US in March 2025 over hacking-for-hire operations.

ESET could not confirm how the attackers got in, but FishMonger typically exploits unpatched public-facing servers. On the device, the malware hides among legitimate, signed Windows files via DLL side-loading and sets itself to run at startup.

Most concerning, ESET found limited signs that some attacks may reach even deeper, into a UEFI bootkit that loads before Windows itself. The firm urged defenders to watch the group closely.