Security researchers at Eset have identified two previously undocumented Windows variants of the SprySocks backdoor, a tool linked to the Chinese hacking contractor iSoon. These variants, active since 2023, utilize kernel-level rootkits to evade detection while targeting government organizations across Asia and Central America. The malware, which supports over 30 command and control functions, marks a significant cross-platform evolution for a tool previously thought to be exclusive to Linux environments.
How Do These New Windows Backdoors Operate?
The newly discovered Windows variants maintain the core architecture of the original Linux-based SprySocks while adopting Windows-native mechanisms for stealth. According to Eset, the malware employs a kernel-level driver to conceal network connections, active processes, and registry keys from security software. By using this driver, operators can divert TCP traffic to a random port on the victim’s device, effectively hiding the actual listening port from standard network monitoring tools.
Why Are Government Agencies Primary Targets?
The campaign, attributed to the threat actor known as FishMonger or Earth Lusca, focuses on long-term intelligence gathering. Eset reports that the malware has been deployed against government agencies involved in foreign affairs, telecommunications, and technology in countries including Thailand, Taiwan, Honduras, and Pakistan. This activity aligns with the established operational profile of iSoon, a Chengdu-based contractor that faced indictments by U.S. federal prosecutors in 2024 for alleged cyber espionage.
What Is the Risk of Firmware-Level Exploitation?
Beyond the backdoor itself, Eset telemetry indicates that attackers may be leveraging CVE-2023-24932, a secure boot bypass vulnerability in the Windows Boot Manager. This exploit allows unauthorized software to execute at the firmware level during the system startup process. By undermining Secure Boot, attackers ensure their malicious code persists even if the operating system is reinstalled, representing a shift toward more resilient, deep-system persistence techniques.
Frequently Asked Questions
Are there known indicators of compromise for this backdoor?
Yes. Eset researchers identified that the Windows variants share encryption keys, message formats, and the HP-Socket network framework with the Linux version. Monitoring for these specific communication protocols and the presence of the identified malicious driver can help detect infections.
Does the U.S. indictment of iSoon affect these operations?
It remains unclear. Martin Smolár, a senior malware researcher at Eset, states that while iSoon executives were indicted in 2024, the impact of these legal actions on the ongoing FishMonger campaigns—or the development of these new variants—is still an open question.
How can organizations defend against rootkit-based backdoors?
Defense requires a layered approach. Beyond endpoint detection and response (EDR) tools, organizations should implement strict Secure Boot policies, keep firmware updated to patch vulnerabilities like CVE-2023-24932, and utilize network segmentation to limit the reach of any potential command and control communication.
Stay informed on the latest threat intelligence by subscribing to our weekly security newsletter. Have you observed suspicious network activity in your environment? Share your findings in the comments below.
