FishMonger’s Arsenal Upgraded: SprySOCKS for Windows

FishMonger, a China‑based cyber‑espionage group operating under the Winnti umbrella, has long been associated with Linux‑only tools such as SprySOCKS. The recent discovery of Windows‑compatible variants marks a strategic shift, allowing the group to infiltrate a broader range of targets that rely heavily on Microsoft environments. By reusing the open‑source Trochilus RAT code and the HP‑Socket networking library, the attackers preserved the core command‑and‑control (C2) architecture while extending functionality to Windows, a move that underscores the modular nature of modern APT toolkits.

The technical sophistication of the WIN_DRV variant is noteworthy. It deploys a signed kernel driver—leveraging a leaked PastDSE certificate—to mask its presence at the system level, intercepting API calls to hide processes, network sockets, files, and registry keys. This driver also diverts arbitrary TCP traffic to a hidden backdoor port, effectively creating a passive listener that evades traditional port‑based detection. WIN_PLUS, while lacking the driver, still employs process‑doppelganging injection and a persistent print‑processor hook, illustrating the group’s flexibility in achieving stealth across different Windows subsystems. The occasional use of a UEFI bootkit exploiting CVE‑2023‑24932 suggests a long‑term persistence strategy that could survive OS reinstallations.

For defenders, the emergence of these Windows variants expands the attack surface and complicates detection. Indicators such as the specific driver files (RawWNPF, DriverLoader), the hard‑coded C2 address 207.148.78.36 hosted on Vultr, and the unique batch‑script persistence mechanisms should be integrated into endpoint detection and response (EDR) rules. Moreover, the cross‑protocol C2 design—supporting TCP, UDP, and WebSocket—demands comprehensive network monitoring to spot anomalous traffic patterns. As APT groups continue to blur the lines between Linux and Windows payloads, organizations must adopt a unified threat‑intel approach that spans all operating systems to mitigate the evolving risk.