FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit
From CTI Daily Brief — 2026-06-17 · published 2026-06-17 · view item permalink →
ESET disclosed two previously undocumented Windows variants of SprySOCKS — a backdoor it attributes to FishMonger (a.k.a. Earth Lusca / Aquatic Panda / TAG-22), assessed with high confidence as operated by Chinese contractor I-SOON (ESET WeLiveSecurity, 2026-06-16). Previously known only as a Linux backdoor, the Windows builds (WIN_PLUS and WIN_DRV) were deployed in 2023–2024 against foreign-affairs, technology and telecom government bodies in Taiwan, Thailand, Pakistan and Honduras. WIN_PLUS persists as a Windows Print Processor (VSPMsg) and supports 30+ commands over TCP/UDP/WebSocket. WIN_DRV is the notable one: it loads a kernel driver (fsdiskbit.sys, signed with a certificate from the public PastDSE leaked-cert corpus) which memory-loads a second driver to deliver rootkit-class stealth — hiding processes, files, network connections and registry keys, and performing TCP traffic diversion so the backdoor receives operator commands on an arbitrary port that never appears in netstat (BleepingComputer, 2026-06-16). ESET notes limited, unconfirmed telemetry of a possible UEFI bootkit component (potentially CVE-2023-24932-class Secure Boot bypass).
Why it matters to us: Post-deployment detection is hard because the driver actively hides artefacts; the leverage is pre-deployment hygiene. Hunt scheduled-task creation (EID 4698 / Sysmon EID 1) referencing binaries under %SystemRoot%\Fonts\, Image File Execution Options hijacks of vds.exe, and kernel-driver loads (Sysmon EID 6) of drivers signed with PastDSE-derived certificates. Because TCP diversion defeats host network-tab inspection, rely on EDR kernel sensors / ETW for listening-socket enumeration. Validate that vulnerable/revoked drivers are blocked via WDAC/HVCI and the Microsoft vulnerable-driver blocklist.