SprySOCKS Windows Variant Uses Kernel Drivers to Evade Detection

FishMonger, a China-nexus threat group, has deployed an undocumented version of the Linux backdoor against government targets in Honduras, Taiwan, Thailand, and Pakistan.

June 16, 2026

A notorious nation-state threat group tied to a Chinese technology company, known as FishMonger, has expanded its tooling with a Windows backdoor that uses kernel drivers to remain undetected.

ESET discovered a previously undocumented version of SprySOCKS, a Linux backdoor that initially was observed in 2023 in threat activity from FishMonger (aka Earth Lusca and Aquatic Panda). Last year, the cyber-espionage group was tied to i-Soon, a Chinese technology company that conducted cyber operations on behalf of the People's Republic of China (PRC).

ESET researchers recently found samples of the Windows version of SprySOCKS on VirusTotal, but further telemetry analysis revealed it had been deployed in the wild in 2023 and 2024. According to an ESET report published today, the Windows variant had been deployed primarily against government organizations in Honduras, Taiwan, Thailand, and Pakistan.