Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit

ESET's full research paper detailed two previously undocumented Windows variants of the SprySOCKS backdoor attributed to FishMonger (Earth Lusca / Aquatic Panda — the Winnti-contractor tracked as I-SOON), centred on a RawWNPF.sys kernel driver that hides processes (NtQuerySystemInformation hook), network connections (nsiproxy.sys IOCTL interception), files (minifilter callbacks) and persistence registry keys, and redirects crafted TCP packets to a hidden backdoor port via the Windows Filtering Platform (ESET, 2026-06-16; daily 06-17). Background: FishMonger has been publicly tracked since the 2024 I-SOON contractor-leak exposed its government-espionage-for-hire model; ESET's earlier work documented the Linux SprySOCKS lineage, and this report extends the toolkit to a Windows kernel rootkit with a possible UEFI-bootkit component (leveraging the patched BlackLotus Secure Boot bypass, CVE-2023-24932). Confirmed victims are government organisations in Honduras, Taiwan, Thailand and Pakistan; the targeting class — government and defence — keeps EU government networks in scope. Enable the vulnerable-driver blocklist, hunt for the named driver and for process/network-hiding behaviours, and verify Secure Boot is at current patch level.