Evolution of SprySOCKS: Analyzing the New Windows-Based Backdoor Variants

For much of its operational lifespan, the SprySOCKS backdoor has been a staple of the Linux environment, utilized extensively by the threat actor known as FishMonger (also identified as Earth Lusca or TAG-22). However, recent intelligence indicates a significant evolution in the adversary’s toolkit: the transition to Windows.

According to ESET research, two previously undocumented Windows builds have surfaced. These variants—internally designated as WIN_DRV and WIN_PLUS—maintain the original SprySOCKS protocol and command architecture while introducing sophisticated, Windows-native exploitation and persistence mechanisms.

Telemetry suggests active exploitation throughout 2023 and 2024, with a primary focus on government entities in Honduras, Taiwan, Thailand, and Pakistan. The core backdoor functionality remains robust, supporting over 30 commands for system reconnaissance, process/service management, file manipulation, SOCKS proxying, and interactive shell access. The implementation leverages open-source libraries such as HP-Socket for networking and Crypto++ for cryptographic operations, following the established multi-protocol, AES-ECB encrypted payload design.

Technical Breakdown: WIN_PLUS vs. WIN_DRV

The two variants represent different levels of operational complexity, tailored for varying degrees of stealth.

WIN_PLUS: The Lightweight Variant

The WIN_PLUS build utilizes a first-stage loader designed to mimic a print processor. This loader decrypts an AES-128-ECB encrypted container (using a hardcoded key) located within spool directories. It then employs techniques reminiscent of process doppelgänging to inject the backdoor into svchost.exe. Persistence is maintained by registering a custom print processor, allowing the malware to reside quietly within standard Windows printing workflows.

WIN_DRV: The Kernel-Mode Powerhouse

The WIN_DRV variant is significantly more advanced, aimed at deep system integration and evasion. Its execution chain begins with DLL side-loading and scheduled tasks to escalate privileges to SYSTEM. Once established, it deploys two critical kernel-mode components:

• DriverLoader: A signed component that memory-maps and launches the primary driver in-memory.
• RawWNPF: A sophisticated rootkit driver utilizing Minifilter and Windows Filtering Platform (WFP) drivers.

The RawWNPF driver acts as the primary stealth engine. It intercepts NtQuerySystemInformation to mask malicious processes, implements filesystem minifilter callbacks to hide its own files and registry keys, and utilizes WFP callouts to manipulate IPv4 traffic. One of its most notable capabilities is the ability to “hijack” TCP traffic; when the driver detects specifically crafted data on any open port, it transparently redirects the flow to the backdoor’s hidden listening port. Because this port is invisible to standard diagnostic tools like netstat, the backdoor remains effectively invisible to most network monitoring.

To bypass modern security requirements, the attackers have utilized a leaked PastDSE certificate to sign their drivers, ensuring they bypass signature enforcement on targeted systems. Furthermore, there is emerging evidence suggesting the possible use of a UEFI bootkit (potentially leveraging CVE-2023-24932) to achieve even deeper persistence.

Defensive Recommendations

Defenders should prioritize hunting for the following indicators of compromise (IOCs):

• Suspicious DLL side-loading involving signed executables that have been renamed to mimic legitimate Microsoft services.
• Encrypted containers located in %SystemRoot%\Fonts or spool directories.
• Anomalous WFP callouts and unexplained hidden processes or network connections.
• Outbound traffic directed toward the 207.148.64.0/20 (Vultr-hosted) range.

Indicators of Compromise (IOCs)

Files