{"id":16846,"date":"2026-07-18T14:29:20","date_gmt":"2026-07-18T14:29:20","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=16846"},"modified":"2026-07-18T14:29:21","modified_gmt":"2026-07-18T14:29:21","slug":"fishmongers-arsenal-upgraded-sprysocks-for-home-windows","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=16846","title":{"rendered":"FishMonger\u2019s arsenal upgraded: SprySOCKS for Home windows"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>ESET researchers have found two as-yet undocumented Home windows variants of <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.spry_socks\">SprySOCKS<\/a>, a beforehand Linux-only backdoor <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2023\/09\/earth-luscas-new-sprysocks-linux.html\">reportedly<\/a> utilized by FishMonger, the group believed to be operated by a Chinese language contractor named I\u2011SOON. Whereas we initially found the malware samples on VirusTotal, ESET telemetry exhibits actual exercise between 2023 and 2024, with a number of victims in Honduras, Taiwan, Thailand, and Pakistan, concentrating on principally authorities organizations.<\/p>\n<p>The Home windows variants found are internally marked as <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> and <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>. Each include a hardcoded C&amp;C configuration and help communication over TCP, UDP, and WebSocket protocols. The core backdoor performance for each consists of help for over 30 C&amp;C instructions, overlaying varied functionalities together with system data assortment, course of enumeration, in addition to service administration and file administration capabilities akin to itemizing, creating, deleting, and transferring recordsdata.<\/p>\n<p>Along with the core backdoor performance, the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model makes use of kernel drivers to cover the malware\u2019s community connections, processes, recordsdata, and registry keys, and allows TCP site visitors diversion permitting the malware operators to ship instructions to the backdoor by way of a random TCP port on the sufferer\u2019s gadget with out exposing the backdoor&#8217;s actual listening port within the community site visitors.<\/p>\n<p>Based mostly on ESET telemetry, there are restricted indications that some SprySOCKS assault eventualities could contain a UEFI bootkit element, presumably exploiting CVE\u20112023\u201124932.<\/p>\n<p>The evaluation supplied on this report leads us to attribute these new, Home windows variants to FishMonger with excessive confidence.<\/p>\n<blockquote>\n<p><strong>Key factors of this blogpost:<\/strong><\/p>\n<ul>\n<li>We found two beforehand undocumented Home windows variants of FishMonger\u2019s <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/elf.spry_socks\">SprySOCKS<\/a> backdoor.<\/li>\n<li>ESET telemetry exhibits exercise between 2023 and 2024, primarily concentrating on authorities organizations in Honduras, Taiwan, Thailand, and Pakistan.<\/li>\n<li>Each Home windows variants help communication over TCP, UDP, and WebSocket protocols, and implement over 30 instructions.<\/li>\n<li>The <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant creates a stealthy passive TCP backdoor, counting on a kernel driver to redirect site visitors to the backdoor\u2019s hidden TCP port at any time when specifically crafted knowledge is detected inside a acquired TCP packet.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>FishMonger profile<\/h2>\n<p>FishMonger \u2013 believed to be operated by a Chinese language contractor named I\u2011SOON (see our <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2023-q1-2024.pdf\" target=\"_blank\" rel=\"noopener\">This autumn 2023\u2013Q1 2024 APT Exercise Report<\/a>) \u2013 is a cyberespionage group that falls beneath the Winnti Group umbrella and is most probably working out of China, from town of Chengdu. It&#8217;s also often called Earth Lusca, TAG-22, Aquatic Panda, or Pink Dev 10. We <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/2020\/01\/31\/winnti-group-targeting-universities-hong-kong\/\" target=\"_blank\" rel=\"noopener\">revealed<\/a> an evaluation of FishMonger in early 2020 when it closely focused universities in Hong Kong through the civic protests that began in June 2019. The group can be identified to function watering-hole assaults, as reported by <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\" target=\"_blank\" rel=\"noopener\">Development Micro<\/a>. FishMonger\u2019s toolset consists of ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.<\/p>\n<h2>Technical evaluation<\/h2>\n<p>On this part, we offer a technical evaluation of those new, Home windows variants of FishMonger\u2019s SprySOCKS backdoor.<\/p>\n<p>The archive that led us to this discovery was uploaded to VirusTotal in April 2024 beneath the identify <span style=\"font-family: courier new, courier, monospace;\">klelam00007.zip<\/span>; its contents are proven in Determine\u00a01.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Contents of klelam00007.zip as displayed on VirusTotal\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-1.png\" alt=\"Figure 1. Contents of klelam00007.zip as displayed on VirusTotal\" width=\"\" height=\"\"\/><figcaption><em>Determine 1. Contents of <\/em><span style=\"font-family: courier new, courier, monospace;\">klelam00007.zip<\/span><em> as displayed on VirusTotal<\/em><\/figcaption><\/figure>\n<p>This archive incorporates varied recordsdata, together with official ones used to host DLL side-loading, and three suspicious-looking, encrypted recordsdata with <span style=\"font-family: courier new, courier, monospace;\">.dat<\/span> extensions. Our subsequent evaluation revealed that these encrypted recordsdata include a brand new, beforehand undocumented Home windows variant of FishMonger\u2019s SprySOCKS backdoor, labeled <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> by its builders. Additional investigation revealed a further backdoor model, labeled <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>, in ESET Telemetry.<\/p>\n<h3>Preliminary entry<\/h3>\n<p>FishMonger has been identified for concentrating on the public-facing servers of its victims, usually exploiting server-based N-day vulnerabilities, to realize preliminary entry. Whereas we weren&#8217;t capable of verify the precise method FishMonger obtained into its victims\u2019 programs on this marketing campaign, the presence of a server working system on a few of the sufferer units together with FishMonger\u2019s typical modus operandi recommend that the attackers could effectively have gotten in by way of misconfigured or unpatched public-facing functions.<\/p>\n<h3>SprySOCKS for Home windows<\/h3>\n<p>In September 2023, Development Micro revealed a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/i\/earth-lusca-employs-new-linux-backdoor.html\" target=\"_blank\" rel=\"noopener\">report<\/a> a few new FishMonger Linux backdoor that its analysts named SprySOCKS. The code of the backdoor is predicated on an open-source Home windows distant entry trojan (RAT) named <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/RamadhanAmizudin\/malware\/tree\/master\/Trochilus\" target=\"_blank\" rel=\"noopener\">Trochilus<\/a>, and shares a number of frequent traits with the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blogs.jpcert.or.jp\/en\/2017\/04\/redleaves---malware-based-on-open-source-rat.html\" target=\"_blank\" rel=\"noopener\">RedLeaves backdoor<\/a>; however, it was prolonged and modified sufficient to be thought of a brand new backdoor. On this report, we analyze two as but undisclosed Home windows variants of v1.8 of SprySOCKS:<\/p>\n<ul>\n<li>One has been named <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> by its builders and makes use of a kernel driver for superior stealth.<\/li>\n<li>One other, with out the driving force, is known as <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>.<\/li>\n<\/ul>\n<p>As proven in Determine\u00a02, the backdoor model sort and quantity are hardcoded within the binary.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Version type and number hardcoded in WIN_DRV (left) and WIN_PLUS (right) Windows SprySOCKS backdoor variants\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-2.png\" alt=\"Figure 2. Version type and number hardcoded in WIN_DRV and WIN_PLUS\" width=\"\" height=\"\"\/><figcaption><em>Determine 2. Model sort and quantity hardcoded in <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span><em> (left) and <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> (proper) Home windows SprySOCKS backdoor variants<\/em><\/figcaption><\/figure>\n<p>The overwhelming majority of artifacts and performance current within the Linux model of the SprySOCKS backdoor launched in Development Micro\u2019s <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\">report<\/a> can be discovered within the newly found Home windows SprySOCKS variants described on this report. These embrace:<\/p>\n<ul>\n<li>the identical C&amp;C message format,<\/li>\n<li>very related C&amp;C instructions (plus some further ones),<\/li>\n<li>the identical encryption keys and algorithms, and<\/li>\n<li>the usage of the identical statically linked networking library (<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/ldcsaa\/HP-Socket\">HP-Socket<\/a>).<\/li>\n<\/ul>\n<p>For each of those new SprySOCKS variants, the core backdoor performance involving C&amp;C communication and accessible instructions could be very related. Essentially the most notable variations will be noticed in the best way the ultimate backdoor is loaded, within the improved stealthiness, and within the element names and paths used.<\/p>\n<p>Within the following subsections, we first analyze parts concerned within the execution chain of particular person SprySOCKS variants, after which we describe the backdoor element, which is usually the identical for each variants.<\/p>\n<h4>WIN_DRV parts<\/h4>\n<p>In an archive uploaded to VirusTotal, we found the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model of SprySOCKS, which comes with an empty C&amp;C configuration. Because of this, this model doesn&#8217;t actively contact any distant addresses; nevertheless, it&#8217;s nonetheless able to launching a TCP server on a random port on the sufferer\u2019s gadget, thus appearing as a passive backdoor. Apparently, the attackers don\u2019t must know this server\u2019s TCP port quantity as a result of, as defined later, the RawWNPF driver utilized by the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model permits silent diversion \u2013 to the backdoor itself \u2013 of TCP site visitors acquired on any open port (extra within the <em><a rel=\"nofollow\" target=\"_blank\" href=\"#RawWNPF driver\">RawWNPF driver<\/a> <\/em>part).<\/p>\n<p>As proven in Determine\u00a01, the archive containing the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model of SprySOCKS incorporates a number of recordsdata:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">klelam00007.bat<\/span> \u2013 a batch script accountable for persisting the backdoor. As proven in Determine 3, it:<\/li>\n<\/ul>\n<p style=\"margin-top: 1em; padding-left: 20px; font-size: 0.9em; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1.4em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">copies all recordsdata from the present working listing into the <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFonts<\/span> listing (to perform correctly, the batch file must be deployed in the identical listing as the remainder of the recordsdata from the archive),<\/span><\/p>\n<p style=\"margin-top: 1em; padding-left: 20px; font-size: 0.9em; display: flex; align-items: flex-start; gap: 0.6em;\"><span style=\"color: #00a0a0; font-size: 1em; line-height: 1.4em; flex-shrink: 0;\">\u25cb<\/span> <span style=\"margin: 0;\">creates a scheduled process named <span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier<\/span>, configured to execute <span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier.exe<\/span> (which is a official, validly signed executable, renamed by the attackers to imitate the official Microsoft-signed <span style=\"font-family: courier new, courier, monospace;\">AppHostRegistrationVerifier.exe<\/span>) with <span style=\"font-family: courier new, courier, monospace;\">NT AUTHORITYSYSTEM<\/span> privileges on each system begin. The attackers use the well-known <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v15\/techniques\/T1574\/002\/\" target=\"_blank\" rel=\"noopener\">DLL side-loading<\/a> method, making the most of the best way Home windows masses DLLs, to load their very own malicious DLL (on this case <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span>) through the use of a official, signed software. To be particular, on this case the attackers use <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/r136a1.dev\/2025\/12\/03\/malware-sideloading-via-mfc-satellite-dlls\/\" target=\"_blank\" rel=\"noopener\">Malware Sideloading through MFC Satellite tv for pc DLLs<\/a> method (notice the <span style=\"font-family: courier new, courier, monospace;\">loc<\/span> string within the <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span> filename),<\/span><\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier.exe<\/span> \u2013 a official, ThinPrint\u2019 AutoConnect printer creation service signed executable (SHA\u20111: <span style=\"font-family: courier new, courier, monospace;\">FFC3AA7909D4E72C360D65A1F45260DFFE5C99B7<\/span>) that masses the <span style=\"font-family: courier new, courier, monospace;\">tpsvc.dll<\/span> library,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">tpsvc.dll<\/span> \u2013 a official, signed library that masses the <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span> library,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span> \u2013 the SprySOCKS backdoor loader,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">X1B5206BDC1743DD.dat<\/span> \u2013 an encrypted container comprising the SprySOCKS backdoor and copies of the subsequent two recordsdata,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">KX1B5206BDC1743DD.dat<\/span> \u2013 DriverLoader, an encrypted kernel driver accountable for loading one other kernel driver from <span style=\"font-family: courier new, courier, monospace;\">KW1B5206BDC1743FP.dat<\/span>, and<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">KW1B5206BDC1743FP.dat<\/span> \u2013 RawWNPF, an encrypted kernel driver accountable for hiding the backdoor\u2019s recordsdata and community exercise.<\/li>\n<\/ul>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor (newlines added for readability)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-3.png\" alt=\"Figure 3. klelam00007.bat setting up persistence for the SprySOCKS backdoor\" width=\"\" height=\"\"\/><figcaption><em>Determine 3. <\/em><span style=\"font-family: courier new, courier, monospace;\">klelam00007.bat<\/span><em> organising persistence for the SprySOCKS backdoor (newlines added for readability)<\/em><\/figcaption><\/figure>\n<p>Determine\u00a04 depicts the execution chain of the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. Execution chain of the SprySOCKS WIN_DRV variant\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-4.png\" alt=\"Figure 4. Execution chain of the SprySOCKS WIN_DRV variant\" width=\"\" height=\"\"\/><figcaption><em>Determine 4. Execution chain of the SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span><em> variant<\/em><\/figcaption><\/figure>\n<p>The next three subsections present technical analyses of the aforementioned parts: SprySOCKS loader, DriverLoader driver, and RawWNPF driver.<\/p>\n<h5>SprySOCKS loader<\/h5>\n<p>The loader begins with preliminary checks for the presence of a digital surroundings and some safety merchandise. It seems for particular libraries (particularly: <span style=\"font-family: courier new, courier, monospace;\">snxhk.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxWrapper.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxIn.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SXIn64.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">SbieDll.dll<\/span>) within the loader\u2019s course of, and exits if it finds any of them.<\/p>\n<p>As the subsequent step, it verifies whether or not persistence was set efficiently by the <span style=\"font-family: courier new, courier, monospace;\">klelam00007.bat<\/span> script, from Determine\u00a03. To take action, it checks whether or not the present loader\u2019s picture was loaded from the %SystemRootpercentFonts listing, and tries to entry the <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFontsX1B5206BDC1743DD.dat<\/span>, <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFonts\u200ctpsvc.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFontstpsvcloc.dll<\/span> recordsdata. If it finds that any of those recordsdata are usually not the place they&#8217;re speculated to be, it units up persistence by itself by:<\/p>\n<ul>\n<li>copying <span style=\"font-family: courier new, courier, monospace;\">X1B5206BDC1743DD.dat<\/span>, <span style=\"font-family: courier new, courier, monospace;\">tpsvc.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">ApphostRagistreationVerifier.exe<\/span> from the present working listing into the <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFonts<\/span> listing,<\/li>\n<li>registering the <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFontsApphostRagistreationVerifier.exe<\/span> software as a debugger for <span style=\"font-family: courier new, courier, monospace;\">vds.exe<\/span> (a Digital Disk Service that may be mechanically executed on system begin) by writing the applying\u2019s path into the registry worth <span style=\"font-family: courier new, courier, monospace;\">HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger<\/span>, and<\/li>\n<li>dropping the <span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span> file into the <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFonts<\/span> listing after which executing it through <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span>. This script, proven in Determine 5, clears traces of this course of by eradicating recordsdata from the deployment listing and executing the malware once more (now from <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFonts<\/span>) by restarting the <span style=\"font-family: courier new, courier, monospace;\">vds<\/span> service.<\/li>\n<\/ul>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. affair-build.bat executed by the SprySOCKS loader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-5.png\" alt=\"Figure 5. affair-build.bat executed by the SprySOCKS loader\" width=\"\" height=\"\"\/><figcaption><em>Determine 5. <\/em><span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span><em> executed by the SprySOCKS loader<\/em><\/figcaption><\/figure>\n<p>When persistence is about, the loader continues with loading payloads from an encrypted container situated at <span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFontsX1B5206BDC1743DD.dat<\/span>. The decryption algorithm and key: 128-bit AES in ECB mode with the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>.<\/p>\n<p>This produces shellcode generated by the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/killeven\/DllToShellCode\">DllToShellCode<\/a> open-source instrument. Earlier than executing the shellcode, it extracts the remainder of the encrypted payloads from the container into separate recordsdata:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFontsKX1B5206BDC1743DD.dat<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">%SystemRootpercentFontsKW1B5206BDC1743FP.dat<\/span><\/li>\n<\/ul>\n<p>When accomplished, the loader spawns a brand new svchost.exe course of utilizing <span style=\"font-family: courier new, courier, monospace;\">CreateProcessAsUserW<\/span> with a token obtained from <span style=\"font-family: courier new, courier, monospace;\">spoolsv.exe<\/span>, and injects the backdoor\u2019s shellcode into the method through the use of the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/013\/\">course of doppelg\u00e4nging<\/a> method. Throughout the injection course of, the shellcode is dropped into a short lived file, utilizing the prefix <span style=\"font-family: courier new, courier, monospace;\">TH<\/span> in its filename, inside the <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> listing.<\/p>\n<p>Because the final step, the loader proceeds to decrypt and execute DriverLoader, a kernel driver hidden contained in the beforehand dropped <span style=\"font-family: courier new, courier, monospace;\">KX1B5206BDC1743DD.dat<\/span> file. DriverLoader is first decrypted, then the decrypted contents are saved to <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32driversfsdiskbit.sys<\/span>. To execute it, the loader installs this driver as a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ifs\/filter-manager-concepts\">minifilter<\/a> driver by manually creating a brand new service registry key named msidiskserver with an <span style=\"font-family: courier new, courier, monospace;\">ImagePath<\/span> worth pointing to the dropped driver (as proven in Determine\u00a06) and invokes the <span style=\"font-family: courier new, courier, monospace;\">NtLoadDriver<\/span> Home windows API perform with the registry key because the parameter to load it. If no errors are detected, the loader deletes each the <span style=\"font-family: courier new, courier, monospace;\">msidiskserver<\/span> registry key and the <span style=\"font-family: courier new, courier, monospace;\">fsdiskbit.sys<\/span> file. After this, the loader is finished and exits.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Service registry key created by the SprySOCKS WIN_DRV loader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-6.png\" alt=\"Figure 6. Service registry key created by the SprySOCKS WIN_DRV loader\" width=\"\" height=\"\"\/><figcaption><em>Determine 6. Service registry key created by the SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span><em> loader<\/em><\/figcaption><\/figure>\n<h5>DriverLoader driver<\/h5>\n<p>Earlier than leaping to DriverLoader\u2019s performance, one essential notice: with the discharge of Home windows Vista, Microsoft launched driver signature enforcement (DSE), a function guaranteeing that solely validly signed kernel-mode parts are allowed to be executed within the Home windows kernel. Which means to execute the <span style=\"font-family: courier new, courier, monospace;\">fsdiskbit.sys<\/span> driver (DriverLoader), attackers must signal it with a trusted certificates.<\/p>\n<p>To make the driving force work on no less than some outdated or misconfigured programs, the attackers used a leaked certificates accessible on GitHub within the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/utoni\/PastDSE\/tree\/main\/certs\" target=\"_blank\" rel=\"noopener\">PastDSE<\/a> venture repository, and signed the <span style=\"font-family: courier new, courier, monospace;\">fsdiskbit.sys<\/span> driver with it. Details about the certificates used will be present in Determine\u00a07.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 65%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-7.png\" alt=\"Figure 7. DriverLoader\u2019s code-signing certificate\" width=\"\" height=\"\"\/><figcaption><em>Determine 7. DriverLoader\u2019s code-signing certificates<\/em><\/figcaption><\/figure>\n<p>Now to the performance. The aim of this element is kind of easy: to load one other driver, this time in reminiscence solely. First, it reads and decrypts the contents of the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsFontsKW1B5206BDC1743FP.dat<\/span> file, beforehand created by the loader. It makes use of the identical algorithm and key as utilized by the loader: 128-bit AES in ECB mode with the important thing <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>. The decrypted knowledge incorporates a local PE binary (described within the <em><a rel=\"nofollow\" target=\"_blank\" href=\"#RawWNPF driver\">RawWNPF driver<\/a> <\/em>part), which is then manually mapped and its entry level executed.<\/p>\n<p>There&#8217;s the PDB path embedded within the DriverLoader binary:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">C:UsersxddDesktop\u4eca\u59292023-4-112023\u201104\u201110__\u6ce8\u518c\u8868\u9a71\u52a8\u52a0\u8f7d\u529f\u80fd__\u96c6\u6210\u5230\u5185\u6d4b3\u4e2d-\u672a\u5b8c\u6210DriverMemoryLoadDriverx64ReleaseDriverMemoryLoadDriver.pdb<\/span><\/p>\n<p>The components in simplified Chinese language machine translate as:<\/p>\n<ul>\n<li>\u4eca\u5929: At this time<\/li>\n<li>\u6ce8\u518c\u8868\u9a71\u52a8\u52a0\u8f7d\u529f\u80fd__\u96c6\u6210\u5230\u5185\u6d4b3\u4e2d-\u672a\u5b8c\u6210: Registry driver loading function__is built-in into inner beta 3-not accomplished<\/li>\n<\/ul>\n<p>As we are able to see within the symbols path, this element appears to have been in growth no less than since April 2023, which aligns with DriverLoader\u2019s compilation timestamp. Equally, strings within the path recommend that the venture this driver is a part of was seemingly nonetheless in growth when the driving force was compiled.<\/p>\n<h5>RawWNPF driver<a rel=\"nofollow\" target=\"_blank\" id=\"RawWNPF driver\"\/><\/h5>\n<p>The RawWNPF driver is the element that makes the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model of the SprySOCKS backdoor a lot stealthier when in comparison with the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant. It permits hiding the backdoor\u2019s malicious exercise on the compromised system, and will be configured by invoking the driving force\u2019s customized I\/O management codes (IOCTLs). The motive force creates a tool driver named <span style=\"font-family: courier new, courier, monospace;\">DeviceRawWNPF<\/span>; a listing of the accessible IOCTLs, with brief descriptions, is proven in Desk\u00a01.<\/p>\n<p style=\"text-align: center;\"><em>Desk\u00a01. Record of IOCTLs dealt with by the RawWNPF driver<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"94\"><strong>IOCTL<\/strong><\/td>\n<td width=\"548\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span><\/td>\n<td width=\"548\">Configure the driving force to cover lively community connections to and from the desired native TCP port.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220300<\/span><\/td>\n<td width=\"548\">Unhide the community connections configured with <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220340<\/span><\/td>\n<td width=\"548\">Insert an entry into the hidden connections listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220344<\/span><\/td>\n<td width=\"548\">Take away an entry from the hidden connections listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220348<\/span><\/td>\n<td width=\"548\">Wipe the entire hidden connections listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x22034C<\/span><\/td>\n<td width=\"548\">Learn the hidden connections listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220350<\/span><\/td>\n<td width=\"548\">Insert a course of with a specified PID into the hidden processes listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220354<\/span><\/td>\n<td width=\"548\">Take away a course of with a specified PID from the hidden processes listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x220358<\/span><\/td>\n<td width=\"548\">Wipe the entire hidden processes listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x22035C<\/span><\/td>\n<td width=\"548\">Learn the hidden processes listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x222000<\/span><\/td>\n<td width=\"548\">Initialize the driving force\u2019s important capabilities (hiding community connections, hiding processes, hiding malware parts, community filters, persistence safety). After this initialization, different IOCTLs can be utilized to configure what precisely needs to be hidden.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x222004<\/span><\/td>\n<td width=\"548\">Returns two hardcoded DWORD values: <span style=\"font-family: courier new, courier, monospace;\">1<\/span> and <span style=\"font-family: courier new, courier, monospace;\">2<\/span>. This presumably might be the driving force\u2019s model.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><span style=\"font-family: courier new, courier, monospace;\">0x222008<\/span><\/td>\n<td width=\"548\">Delete the driving force\u2019s binary (if it exists).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h6>Hiding specified processes<\/h6>\n<p>The RawWNPF driver will be configured to cover processes primarily based on their course of IDs, and a listing of hidden processes will be managed by invoking the driving force\u2019s IOCTLs <span style=\"font-family: courier new, courier, monospace;\">0x220358<\/span>, <span style=\"font-family: courier new, courier, monospace;\">0x22035C<\/span>, <span style=\"font-family: courier new, courier, monospace;\">0x220354<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">0x220350<\/span>. To cover a course of, the driving force hooks execution of the <span style=\"font-family: courier new, courier, monospace;\">NtQuerySystemInformation<\/span> system name and modifies its output if details about working processes is being retrieved (i.e., if <span style=\"font-family: courier new, courier, monospace;\">SystemProcessInformation<\/span> is handed to the <span style=\"font-family: courier new, courier, monospace;\">SystemInformationClass<\/span> parameter). If any of the processes retrieved by this API perform match a course of from the driving force\u2019s listing of hidden processes, the driving force removes this course of from the perform\u2019s output. The way in which the kernel driver hooks the <span style=\"font-family: courier new, courier, monospace;\">NtQuerySystemInformation<\/span> system name appears to be closely primarily based on supply code from the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/FiYHer\/InfinityHookPro\">InfinityHookPro<\/a> venture.<\/p>\n<h6>Hiding community exercise<\/h6>\n<p>The motive force will be configured to cover particular lively connections (with a specified IP, port, or mixture of each) in order that they received\u2019t be listed within the output of frequent community administration instruments akin to <span style=\"font-family: courier new, courier, monospace;\">netstat.exe<\/span>. That is achieved by a widely known method (e.g., <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/repnz.github.io\/posts\/autochk-rootkit-analysis\/#network-connections-hiding\">[1]<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/securelist.com\/ghostemperor-from-proxylogon-to-kernel-mode\/104407\/\">[2]<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/claudiouzelac\/rootkit.com\/blob\/c8869de5a947273c9c151b44aa39643a7fea531c\/cardmagic\/PortHidDemo_Vista.c\">[3]<\/a>, \u2026 ), the place attackers hook <span style=\"font-family: courier new, courier, monospace;\">IoCompletionRoutine<\/span> for IOCTL <span style=\"font-family: courier new, courier, monospace;\">0x12001B<\/span> contained in the <span style=\"font-family: courier new, courier, monospace;\">DeviceIoControl<\/span> perform of the <span style=\"font-family: courier new, courier, monospace;\">nsiproxy.sys<\/span> Home windows kernel driver. The code inside nsiproxy\u2019s <span style=\"font-family: courier new, courier, monospace;\">0x12001B<\/span> IOCTL handler is accountable for retrieving the listing of lively connections, and hooking its <span style=\"font-family: courier new, courier, monospace;\">IoCompletionRoutine<\/span> permits attackers to stroll by way of the retrieved listing, verify for the presence of particular ports, addresses, or each, and conceal the particular connection within the listing if a match is discovered. Determine\u00a08 exhibits the hook perform accountable for hiding community connections.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. Hex-Rays decompilation of nsiproxy\u2019s IoCompletionRoutine hook responsible for hiding network connections\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-8.png\" alt=\"Figure 8. Hex-Rays decompilation of nsiproxy\u2019s IoCompletionRoutine hook\" width=\"\" height=\"\"\/><figcaption><em>Determine 8. Hex-Rays decompilation of nsiproxy\u2019s <\/em><span style=\"font-family: courier new, courier, monospace;\">IoCompletionRoutine<\/span><em> hook accountable for hiding community connections<\/em><\/figcaption><\/figure>\n<p>Along with the hiding of lively community connections, the driving force incorporates an fascinating performance permitting it to divert TCP packets acquired on any open TCP port, to the desired TCP port configured by the IOCTL <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span> (it\u2019s truly the port of the SprySOCKS backdoor\u2019s TCP server), however solely within the case that the TCP knowledge acquired incorporates specifically crafted knowledge. To attain this, the driving force registers its personal packet filter objects utilizing Home windows Filtering Platform (WFP) API capabilities, manually parses contents of transferred IPv4 packets (each inbound and outbound site visitors is inspected), and proceeds to divert the site visitors if the specifically crafted knowledge is detected inside a acquired TCP packet knowledge. The aim of this function appears to be primarily a functionality to contact the malicious backdoor with out the necessity to embed a C&amp;C tackle contained in the binary. Moreover, despite the fact that such diverted site visitors will be inspected utilizing instruments akin to Wireshark, the actual port (the one the site visitors is diverted to) is just not revealed; thus it may be tough to analyze the actual vacation spot for this malicious site visitors.<\/p>\n<p>Put in packet filters, together with their figuring out data, are listed in Desk\u00a02.<\/p>\n<p style=\"text-align: center;\"><em>Desk\u00a02. WFP filter objects registered by the RawWNPF driver<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"160\"><strong>Filter layer identify<\/strong><\/td>\n<td width=\"265\"><strong>Filter object identify and GUID<\/strong><\/td>\n<td width=\"218\"><strong>Filter object callout identify and GUID<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">Inbound IP Packet v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Supply Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{E980088D-BE44-4057-8E5C-C7FDF8968795}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COInbound<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{DE0D7F67-94ED-4DDB-8215-9C028B54661B}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">Outbound IP Packer v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Supply Optimization (TCP-Out)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{33F76397-DBCB-445E-8EC3-AA51ED302D15}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COOutbound<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{8280DDF3-7489\u20114402-B9D8-96B50912346B}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE Join v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Supply Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{5746AF70-2917\u20114861-97E6-D5E4DD569F2D}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthConnect<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{A33E1AA8-9B0F-44A3-B24A-AEB04CA54C3B}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE Hear v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Supply Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{7CB4DFB4-0D20-402D-A49D-BA9660D026E6}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthListen<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{40045FAF-6BAE-4B48-9119\u201131B48FFEA629}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE Obtain\/Settle for v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Supply Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{2C1AB6EF-0B65-4634\u20118666-BCB2CF9C72E9}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthAccept<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{DDFE5189\u2011389F-437F-9B92-59495ED2181A}<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"160\"><span style=\"font-family: courier new, courier, monospace;\">ALE ResourceAssignment v4 Layer<\/span><\/td>\n<td width=\"265\"><span style=\"font-family: courier new, courier, monospace;\">Supply Optimization (TCP-In)<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{B4AE248F-98D5-446F-88EB-14CF605AE722}<\/span><\/td>\n<td width=\"218\"><span style=\"font-family: courier new, courier, monospace;\">COAuthResAssignment<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">{FE570356-A1A9-413C-94CC-BD6C448E9969}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h6>Hiding the backdoor\u2019s recordsdata<\/h6>\n<p>The motive force hides\/protects the SprySOCKS backdoor\u2019s recordsdata by registering itself as a minifilter driver, and putting in the next callbacks:<\/p>\n<ul>\n<li>pre-operation callback triggered on each <span style=\"font-family: courier new, courier, monospace;\">IRP_MJ_CREATE<\/span> I\/O request and accountable for returning <span style=\"font-family: courier new, courier, monospace;\">STATUS_NO_SUCH_FILE<\/span> on each try and create or open a file or a listing from the driving force\u2019s listing of hidden\/protected recordsdata,<\/li>\n<li>pre-operation callback triggered on each <span style=\"font-family: courier new, courier, monospace;\">IRP_MJ_DIRECTORY_CONTROL I\/O<\/span> request and accountable for filtering out non-directory-enumeration associated requests, in order that solely those associated to listing enumeration are handed to the post-operation callback, and<\/li>\n<li>post-operation callback triggered on <span style=\"font-family: courier new, courier, monospace;\">IRP_MJ_DIRECTORY_CONTROL I\/O<\/span> requests that handed pre-operation callback checks. This callback is accountable for eradicating entries of hidden\/protected recordsdata from any listing itemizing makes an attempt.<\/li>\n<\/ul>\n<p>The next hardcoded listing of filenames are protected by the driving force:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">SystemRootFontstpsvc.dll<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SystemRootFontstpsvcloc.dll<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SystemRootFontsApphostRagistreationVerifier.exe<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SystemRootFontsX1B5206BDC1743DD.dat<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SystemRootFontsKX1B5206BDC1743DD.dat<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SystemRootFontsKW1B5206BDC1743FP.dat<\/span><\/li>\n<\/ul>\n<h6>Defending persistence<\/h6>\n<p>The motive force calls <span style=\"font-family: courier new, courier, monospace;\">CmRegisterCallbackEx<\/span> to put in a <span style=\"font-family: courier new, courier, monospace;\">RegistryCallback<\/span> routine accountable for hiding the registry key used for the SprySOCKS loader\u2019s persistence: <span style=\"font-family: courier new, courier, monospace;\">HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exe<\/span>. Because of this, all makes an attempt to open or enumerate the important thing are filtered out by the driving force.<\/p>\n<h4>WIN_PLUS parts<\/h4>\n<p>Within the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> model, we first found the malicious encrypted container in our telemetry, with the primary hit courting again to July 2024 discovered on the gadget of a sufferer in Pakistan. It contained the SprySOCKS backdoor and the SprySOCKS loader. The C&amp;C configuration was current and is proven in Determine\u00a09.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. C&amp;C configuration from the WIN_PLUS version of SprySOCKS\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-9.png\" alt=\"Figure 9. C&amp;C configuration from the WIN_PLUS version of SprySOCKS\" width=\"\" height=\"\"\/><figcaption><em>Determine 9. C&amp;C configuration from the <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> model of SprySOCKS<\/em><\/figcaption><\/figure>\n<p>The encrypted container was situated on the following path on the compromised system:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spooldriverscolorconfig.dat<\/span><\/p>\n<p>When decrypted, the container incorporates a SprySOCKS loader and the SprySOCKS backdoor itself. Additional evaluation of the SprySOCKS backdoor from the container confirmed that, on this case, there appeared to be a further element accountable for loading the SprySOCKS loader from the encrypted container. This element \u2013 referenced to because the first-stage loader on this evaluation \u2013 needs to be put in as a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/012\/\">print processor<\/a> beneath the next registry key:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg<\/span><\/p>\n<p>Apparently, after we searched our telemetry for something associated to this <span style=\"font-family: courier new, courier, monospace;\">VSPMsg<\/span> string, we found a file deployed on two completely different sufferer units from Honduras at <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spoolprtprocsx64VSPMsg.dll<\/span>. This file turned out to be the first-stage loader accountable for executing the SprySOCKS loader from the aforementioned <span style=\"font-family: courier new, courier, monospace;\">config.dat<\/span> file.<\/p>\n<p>An execution diagram of the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant is illustrated in Determine\u00a010.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 10. SprySOCKS WIN_PLUS variant execution scheme\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-10.png\" alt=\"Figure 10. SprySOCKS WIN_PLUS variant execution scheme\" width=\"\" height=\"\"\/><figcaption><em>Determine 10. SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> variant execution scheme<\/em><\/figcaption><\/figure>\n<h5>First-stage loader<\/h5>\n<p>This loader begins by checking whether or not it was executed by <span style=\"font-family: courier new, courier, monospace;\">spoolsv.exe<\/span>, and exits if not; this hides its conduct from automated malware evaluation sandboxes, because the loader is meant to be run as a print processor. It continues decrypting the SprySOCKS loader from the encrypted container <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spooldrivers\u200ccolorconfig.dat<\/span>. First it 128-bit AES-ECB decrypts the loader with the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>, then injects it into the newly created <span style=\"font-family: courier new, courier, monospace;\">svchost.exe<\/span> course of through <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/013\/\">course of doppelg\u00e4nging<\/a>. In the meantime, the SprySOCKS loader is dropped into a short lived file, with a filename prefix of <span style=\"font-family: courier new, courier, monospace;\">TH<\/span>, inside the <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> listing.<\/p>\n<p>The pattern exports two capabilities:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">GetErrorMessageModule<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">SetErrorMessageModule<\/span><\/li>\n<\/ul>\n<p>Whereas the <span style=\"font-family: courier new, courier, monospace;\">SetErrorMessageModule<\/span> perform doesn&#8217;t do something, the <span style=\"font-family: courier new, courier, monospace;\">GetErrorMessageModule<\/span> perform is supposed for use to set persistence for the loader itself. When executed, it registers the loader as a print processor by creating the <span style=\"font-family: courier new, courier, monospace;\">HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsVSPMsg<\/span> registry key, setting the <span style=\"font-family: courier new, courier, monospace;\">Driver<\/span> registry worth to <span style=\"font-family: courier new, courier, monospace;\">VSPMsg.dll<\/span>, and copying the hardcoded <span style=\"font-family: courier new, courier, monospace;\">C:ProgramDataMicrosoft EventPFsVSPMsg.dll<\/span> to the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spoolprtprocsx64<\/span> listing. As the subsequent step, it copies the encrypted container from <span style=\"font-family: courier new, courier, monospace;\">C:ProgramDataMicrosoft EventPFsconfig.dat<\/span> to <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spooldriverscolorconfig.dat<\/span> and, when accomplished, it generates and drops the <span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span> batch script into the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spooldriverscolor<\/span> listing and executes it. As proven in Determine\u00a011, this script\u2019s goal is to cowl the loader\u2019s tracks by eradicating the recordsdata within the unique deployment listing, and triggering execution of the newly put in print processor by restarting the print spooler service.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 11. affair-build.bat batch script used by the first-stage SprySOCKS WIN_PLUS loader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-11.png\" alt=\"Figure 11. affair-build.bat batch script used by the first-stage SprySOCKS WIN_PLUS loader\" width=\"\" height=\"\"\/><figcaption><em>Determine 11. <\/em><span style=\"font-family: courier new, courier, monospace;\">affair-build.bat<\/span><em> batch script utilized by the first-stage SprySOCKS <\/em><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span><em> loader<\/em><\/figcaption><\/figure>\n<h5>SprySOCKS loader<\/h5>\n<p>This loader begins by making a mutex with the hardcoded identify <span style=\"font-family: courier new, courier, monospace;\">fqwhi2d1qaz2<\/span>, after which proceeds to loading the SprySOCKS backdoor from the encrypted container situated at <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32spooldriverscolor\u200cconfig.dat<\/span>. It 128-bit AES-ECB decrypts the backdoor with the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">uXQLESMXGaRMs6BL<\/span>, then injects it into the newly created svchost.exe course of through <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/013\/\">course of doppelg\u00e4nging<\/a>. In the meantime, the SprySOCKS loader is dropped into a short lived file, with a filename prefix of <span style=\"font-family: courier new, courier, monospace;\">TH<\/span>, inside the <span style=\"font-family: courier new, courier, monospace;\">%TEMP%<\/span> listing.<\/p>\n<h4>SprySOCKS backdoor<\/h4>\n<p>Lastly, we proceed to our evaluation of the SprySOCKS backdoor itself. In each variants, <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> and <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>, the backdoor performance is sort of the identical, and the variations are solely within the particular file paths used, registry keys used, and as already talked about, the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> model doesn&#8217;t use the RawWNPF driver for superior stealthiness.<\/p>\n<p>Each variants analyzed on this report are DLLs with the unique identify <span style=\"font-family: courier new, courier, monospace;\">PrcsServer.dll<\/span>, exporting a perform named <span style=\"font-family: courier new, courier, monospace;\">Cease<\/span>. They create a mutex named <span style=\"font-family: courier new, courier, monospace;\">prcs-server-run<\/span> at first and proper after that proceed to the initialization of the backdoor\u2019s important performance, which incorporates initialization and launching of C&amp;C communication channels (primarily based on the hardcoded configuration) and organising the keylogger. Along with these actions, the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> backdoor model initializes the RawWNPF driver by invoking its <span style=\"font-family: courier new, courier, monospace;\">0x222000<\/span> IOCTL handler, after which hides its personal course of by invoking the driving force\u2019s <span style=\"font-family: courier new, courier, monospace;\">0x220350<\/span> IOCTL.<\/p>\n<p>Keylogging is activated provided that there may be an current INI file at <span style=\"font-family: courier new, courier, monospace;\">%appdatapercentMicrosoftVaultlgf.dat<\/span> that incorporates a <span style=\"font-family: courier new, courier, monospace;\">config<\/span> part with a property named <span style=\"font-family: courier new, courier, monospace;\">key<\/span> that&#8217;s set to <span style=\"font-family: courier new, courier, monospace;\">1<\/span>. If these circumstances are met, each backdoors create a mutex named <span style=\"font-family: courier new, courier, monospace;\">World{DCAA7ED8-521B-4EAB-BE21-65254CF59239}<\/span> and periodically log clipboard knowledge together with the lively window title and keystrokes into the file <span style=\"font-family: courier new, courier, monospace;\">%appdatapercentMicrosoftVaultlg.dat<\/span>. The information within the file is encrypted utilizing a single-byte XOR cipher with the important thing <span style=\"font-family: courier new, courier, monospace;\">0x44<\/span>.<\/p>\n<h5>C&amp;C communication<\/h5>\n<p>The backdoor helps three protocols for communication with the C&amp;C \u2013 TCP, UDP, and WebSocket \u2013 and may act as each shopper and server. The networking-related performance is closely primarily based on the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/ldcsaa\/HP-Socket\/tree\/master\">HP-Socket<\/a> networking framework, and a few cryptography capabilities had been applied utilizing the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/weidai11\/cryptopp\/tree\/master\">Crypto++<\/a> library.<\/p>\n<p>The C&amp;C configuration is embedded within the backdoor, and may include:<\/p>\n<ul>\n<li>as much as three IP addresses and related ports, every specifying a C&amp;C IP tackle and its port for one of many communication channels (TCP, UDP, or WebSocket), and<\/li>\n<li>as much as three port numbers, every specifying a port the backdoor ought to pay attention on for brand spanking new connections. One is used for a TCP server, one for a UDP server, and one for a WebSocket server.<\/li>\n<\/ul>\n<p>An instance configuration from the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> model is proven in Determine\u00a09 and it incorporates:<\/p>\n<ul>\n<li>The C&amp;C tackle and port for the TCP communication channel: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36:443<\/span>.<\/li>\n<li>The C&amp;C tackle and port for the UDP communication channel: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36:53<\/span>.<\/li>\n<li>The C&amp;C tackle and port for the WebSocket communication channel: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36:80<\/span>.<\/li>\n<li>The backdoor\u2019s TCP server listening port: <span style=\"font-family: courier new, courier, monospace;\">53781<\/span>.<\/li>\n<\/ul>\n<p>Earlier than initiating any connections or beginning a server, the SprySOCKS <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model hides any connections from\/to the addresses or ports from the configuration by invoking the RawWNPF driver\u2019s IOCTLs <span style=\"font-family: courier new, courier, monospace;\">0x220340<\/span> and <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span>. Because of this, these connections received\u2019t be listed in output of instruments akin to <span style=\"font-family: courier new, courier, monospace;\">netstat.exe<\/span>, regardless of being lively. As well as, each backdoor variations execute the <span style=\"font-family: courier new, courier, monospace;\">netsh.exe<\/span> utility twice:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">netsh.exe netsh advfirewall firewall delete rule identify=&#8221;Core Networking &#8211; Packet Too Huge(ICMPv6 &#8211; In)&#8221;<\/span><\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">netsh advfirewall firewall add rule identify=&#8221;Core Networking &#8211; Packet Too Huge(ICMPv6 &#8211; In)&#8221; dir=in motion=enable protocol=tcp localport=53781<\/span><\/p>\n<p>The primary command deletes a specified firewall rule, and the second provides a brand new firewall rule of the identical identify because the one simply deleted, permitting all inbound TCP site visitors despatched to the backdoor\u2019s TCP server port specified within the configuration.<\/p>\n<p>If the C&amp;C configuration is empty (as within the case of the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> model we found on VirusTotal), the backdoor begins a TCP server that listens on a random port on the compromised machine and in addition hides this port by invoking the RawWNPF driver\u2019s IOCTL <span style=\"font-family: courier new, courier, monospace;\">0x220200<\/span>. This invocation not solely hides the TCP server from being listed in customary networking instruments\u2019 output, but in addition prompts the TCP-diverting function supplied by the RawWNPF driver. This function permits attackers to ship instructions to the backdoor with out realizing the actual port the backdoor listens on, just by sending specifically crafted TCP knowledge to any open TCP port on the sufferer\u2019s machine.<\/p>\n<p>For the TCP communication channel, the C&amp;C protocol appears to stay the identical as within the Linux model analyzed in Development Micro\u2019s <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/i\/earth-lusca-employs-new-linux-backdoor.html\">report<\/a>. Every time earlier than sending the precise backdoor\u2019s knowledge, it sends a 12-byte header containing the 32-bit CRC of the remainder of the header, a DWORD magic worth <span style=\"font-family: courier new, courier, monospace;\">0xACACBCBC<\/span>, and a DWORD specifying the scale of the info that follows the header.<\/p>\n<p>For the UDP and WebSocket channels, the magic values are completely different, and so are the message header format and measurement. For the UDP channel, the magic worth is <span style=\"font-family: courier new, courier, monospace;\">0xACACBFBC<\/span> and it\u2019s situated at offset <span style=\"font-family: courier new, courier, monospace;\">0x1C<\/span> in a 36-byte header, adopted by a DWORD specifying the scale of the info that follows. Within the WebSocket channel, the magic worth <span style=\"font-family: courier new, courier, monospace;\">0x1BDCCBAA<\/span> is used as a <span style=\"font-family: courier new, courier, monospace;\">Masking-Key<\/span> within the WebSocket <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc6455#section-5.2\">header<\/a>. Determine\u00a012 exhibits a community site visitors seize with the magic values for every of the communication channels.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 12. SprySOCKS network-traffic capture showing the magic values used in TCP, UDP, and WebSocket (from top to bottom, respectively) C&amp;C communication channels\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-12.png\" alt=\"Figure 12. SprySOCKS network-traffic capture showing the magic values\" width=\"\" height=\"\"\/><figcaption><em>Determine 12. SprySOCKS network-traffic seize displaying the magic values utilized in TCP, UDP, and WebSocket (from high to backside, respectively) C&amp;C communication channels<\/em><\/figcaption><\/figure>\n<p>Following the header is, once more, a 32-bit CRC, then the WORD worth <span style=\"font-family: courier new, courier, monospace;\">0x0003<\/span> (seemingly indicating the encryption methodology), adopted by 128-bit AES-ECB mode encrypted knowledge (utilizing the hardcoded key <span style=\"font-family: courier new, courier, monospace;\">QFTHEYjzX3RBOMgZ<\/span>) that has been base64 encoded.<\/p>\n<p>An instance of a C&amp;C message earlier than and after decoding and decryption is proven in Determine\u00a013.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 13. Example SprySOCKS C&amp;C message as seen in Wireshark (left), and its contents after decoding and decryption (right)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/sprysocks\/figure-13.png\" alt=\"Figure 13. Example SprySOCKS C&amp;C message\" width=\"\" height=\"\"\/><figcaption><em>Determine 13. Instance SprySOCKS C&amp;C message as seen in Wireshark (left), and its contents after decoding and decryption (proper)<\/em><\/figcaption><\/figure>\n<p>The <span style=\"font-family: courier new, courier, monospace;\">__msgid<\/span> worth within the decrypted C&amp;C message is used to specify a command, recognized by a message ID, that needs to be executed by the backdoor. The listing of message IDs supported by the backdoor, together with their description, will be present in Desk\u00a03. Observe that we haven\u2019t analyzed all these instructions in depth; due to this fact, some descriptions are only a tough overview of the a part of the code\/performance the message ID is expounded to.<\/p>\n<p style=\"text-align: center;\"><em>Desk\u00a03. SprySOCKS C&amp;C instructions; descriptions marked with * are tentative assessments<\/em><\/p>\n<table style=\"height: 774px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><strong>Message\u00a0ID<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"558\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x09<\/span><\/td>\n<td style=\"height: 72px;\" width=\"558\">Acquire shopper (sufferer) system data, together with: laptop identify, OS model, community adapter data, details about reminiscence, CPU data, present privileges, system language and model, present time, and the backdoor model (<span style=\"font-family: courier new, courier, monospace;\">1.8<\/span>) and model sort (<span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> or <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span>).<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0A<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Begin an interactive console.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0B<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Write into the interactive console.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0D<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Cease the interactive console.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0E<\/span><\/td>\n<td style=\"height: 36px;\" width=\"558\">Specify a further communication channel (don&#8217;t begin the channel). Prone to specify a further backup C&amp;C.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x0F<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Ship C&amp;C message to a distinct goal.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x11<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate all processes.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x12<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate modules of a course of specified by a PID.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x13<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Terminate a course of specified by a PID.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x14<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Shut all connections.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x16<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Get present communication channel data.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x17<\/span><\/td>\n<td style=\"height: 36px;\" width=\"558\">Specify further communication channels (TCP, UDP, or WebSocket) and begin them.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x19<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Uninstall the backdoor and exit.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x1E<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate all companies.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x1F<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Configure <span style=\"font-family: courier new, courier, monospace;\">StartType<\/span> for a specified service.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x20<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Begin companies with a specified identify.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x21<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Invoke the <span style=\"font-family: courier new, courier, monospace;\">ControlService<\/span> perform with a specified <span style=\"font-family: courier new, courier, monospace;\">dwControl<\/span> parameter.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x22<\/span><\/td>\n<td style=\"height: 36px;\" width=\"558\">Delete a specified service from the service supervisor. This doesn&#8217;t cease the service if it\u2019s working.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x23<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Initialize SOCKS proxy.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x24<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Terminate SOCKS proxy.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x25<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Ship knowledge by way of SOCKS proxy.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x26<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">SOCKS proxy-related command.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2A<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Add a specified file.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2B<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">File-transfer-related helper command.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2C<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Obtain a specified file.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x2D<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">File-transfer-related helper command.*<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3C<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Enumerate free disk house.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3D<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Record recordsdata within the specified listing.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3E<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Delete a specified file.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x3F<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Create a specified listing.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x40<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Rename a specified file.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x41<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Execute an current file.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x42<\/span><\/td>\n<td style=\"height: 18px;\" width=\"558\">Copy a specified file.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"85\"><span style=\"font-family: courier new, courier, monospace;\">0x43<\/span><\/td>\n<td style=\"height: 54px;\" width=\"558\">Record recordsdata from the <span style=\"font-family: courier new, courier, monospace;\">Latest<\/span> Home windows directories for the logged-in person:<br \/><span style=\"font-family: courier new, courier, monospace;\">%APPDATApercentMicrosoftWindowsRecent<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">%APPDATApercentMicrosoftOfficeRecent<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Community infrastructure<\/h2>\n<p>Just one C&amp;C tackle has been found on this marketing campaign: <span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36<\/span>, hardcoded within the configuration (proven in Determine\u00a09) of the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant of the SprySOCKS backdoor.<\/p>\n<p>Ports from the configuration that needs to be utilized by the backdoor to speak with the C&amp;C:<\/p>\n<ul>\n<li>TCP: <span style=\"font-family: courier new, courier, monospace;\">443<\/span><\/li>\n<li>UDP: <span style=\"font-family: courier new, courier, monospace;\">53<\/span><\/li>\n<li>WebSocket: <span style=\"font-family: courier new, courier, monospace;\">80<\/span><\/li>\n<\/ul>\n<p>As talked about in Development Micro\u2019s report, the IP tackle <span style=\"font-family: courier new, courier, monospace;\">207.148.75[.]122<\/span>, from the identical IP vary <span style=\"font-family: courier new, courier, monospace;\">207.148.64.0\/20<\/span> because the C&amp;C above, was utilized by FishMonger operators as a SprySOCKS supply server in June 2023. This IP vary belongs to the Vultr cloud internet hosting supplier.<\/p>\n<h2>Conclusion<\/h2>\n<p>The invention of a Home windows variant of SprySOCKS, beforehand often called Linux-only backdoor, represents a significant enlargement of FishMonger&#8217;s cross-platform capabilities. Our evaluation exhibits that the Home windows port retains many of the core structure of its Linux predecessor \u2013 together with the C&amp;C protocol, encryption used, and total command dealing with logic \u2013 whereas substituting Home windows-native mechanisms the place required and bettering the stealthiness of the backdoor by bringing the kernel drivers to the sport. Contemplating the restricted indications of attainable UEFI bootkit involvement, we advise everybody to maintain a detailed eye on the group\u2019s actions.<\/p>\n<blockquote>\n<div><em>For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at <a rel=\"nofollow\" target=\"_blank\" style=\"background-color: #f4f4f4;\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/fishmongers-arsenal-upgraded-sprysocks-windows\/mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.\u00a0<\/em><\/div>\n<div><em>ESET Analysis provides non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=fishmongers-arsenal-upgraded-sprysocks-windows&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Risk Intelligence<\/a> web page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<h3>Recordsdata<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA\u20111<\/strong><\/td>\n<td width=\"104\"><strong>Filename<\/strong><\/td>\n<td width=\"132\"><strong>Detection<\/strong><\/td>\n<td width=\"227\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">955BFC3DCC867256F9F4<wbr\/>6A606DEB0779FA3416D8<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">KX1B5206BDC<wbr\/>1743DD.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted SprySOCKS DriverLoader driver.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">44DC4A08C5EB0972C8E1<wbr\/>8B0E01284E06F09006BB<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">bthcam.sys<\/span><\/td>\n<td width=\"132\">Win64\/Agent.ESB<\/td>\n<td width=\"227\">SprySOCKS DriverLoader driver.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">AB87B29B6F79487C75CA<wbr\/>08D102E79001E536F083<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">KW1B5206BDC<wbr\/>1743FP.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted SprySOCKS RawWNPF driver.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">6490B8E4AADE25A3EE2D<wbr\/>A9A47F312DB2122470BC<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">X1B5206BDC1<wbr\/>743DD.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted container of the encrypted <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant of SprySOCKS backdoor, encrypted SprySOCKS RawWNPF and SprySOCKS DriverLoader drivers.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">E7484C24B88A1A2407A8<wbr\/>F09D734F9A993670285B<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">klelam00007<wbr\/>.zip<\/span><\/td>\n<td width=\"132\">Win64\/Agent.CXZ<br \/>Win64\/SprySOCKS.A<br \/>BAT\/Runner.KS<\/td>\n<td width=\"227\">ZIP archive from VirusTotal containing the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant of SprySOCKS, together with all of the backdoor&#8217;s parts; clear binaries used for side-loading are included.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">621D1952839BE4B0A1B0<wbr\/>E66E87BCE5062CA368ED<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">tpsvcloc.dll<\/span><\/td>\n<td width=\"132\">Win64\/Agent.CXZ<\/td>\n<td width=\"227\">SprySOCKS loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">2457EED2AB28E37741F1<wbr\/>0914EF929DAD2C8079D4<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">VSPMsg.dll<\/span><\/td>\n<td width=\"132\">Win64\/Agent.CXZ<\/td>\n<td width=\"227\">First-stage loader accountable for launching the SprySOCKS loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">D2C706B1EAF662BF0CE1<wbr\/>24B5032F73ED84BDA24A<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\"><span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant of the SprySOCKS backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5F3B87CEF56683D9A9E1<wbr\/>9186E0FD0D8019B559C4<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"132\">Win64\/Agent.CXZ<\/td>\n<td width=\"227\">SprySOCKS loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C793CA31E3F6628B5C89<wbr\/>86146953BF66232E9A30<\/span><\/td>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">config.dat<\/span><\/td>\n<td width=\"132\">Win64\/SprySOCKS.A<\/td>\n<td width=\"227\">Encrypted container of the <span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant of the SprySOCKS backdoor and its loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">037DB2445F3D72388CB2<wbr\/>CF8510563148E5A184BE<\/span><\/td>\n<td width=\"104\">N\/A<\/td>\n<td width=\"132\">BAT\/Runner.KS<\/td>\n<td width=\"227\">Batch script that persists the <span style=\"font-family: courier new, courier, monospace;\">WIN_DRV<\/span> variant of SprySOCKS.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Community<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"141\"><strong>IP<\/strong><\/td>\n<td width=\"76\"><strong>Area<\/strong><\/td>\n<td width=\"132\"><strong>Internet hosting supplier<\/strong><\/td>\n<td width=\"76\"><strong>First\u00a0seen<\/strong><\/td>\n<td width=\"218\"><strong>Particulars<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"141\"><span style=\"font-family: courier new, courier, monospace;\">207.148.78[.]36<\/span><\/td>\n<td width=\"76\">N\/A<\/td>\n<td width=\"132\">IRT\u2011CHOOPALLC\u2011AP<\/td>\n<td width=\"76\">N\/A<\/td>\n<td width=\"218\">C&amp;C IP hardcoded within the SprySOCKS backdoor (<span style=\"font-family: courier new, courier, monospace;\">WIN_PLUS<\/span> variant).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK strategies<\/h2>\n<p>This desk was constructed utilizing <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">model 19<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table style=\"height: 2226px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px; width: 107px;\" width=\"113\"><strong>Tactic<\/strong><\/td>\n<td style=\"height: 18px; width: 70px;\" width=\"113\"><strong>ID<\/strong><\/td>\n<td style=\"height: 18px; width: 148px;\" width=\"151\"><strong>Identify<\/strong><\/td>\n<td style=\"height: 18px; width: 302px;\" width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 90px;\">\n<td style=\"height: 162px; width: 107px;\" rowspan=\"2\" width=\"113\"><strong>Reconnaissance<\/strong><\/td>\n<td style=\"height: 90px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1592\/004\">T1592.004<\/a><\/td>\n<td style=\"height: 90px; width: 148px;\" width=\"151\">Collect Sufferer Host Info: Consumer Configurations<\/td>\n<td style=\"height: 90px; width: 302px;\" width=\"265\">SprySOCKS can gather details about the compromised gadget, together with: laptop identify, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1590\/005\">T1590.005<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Collect Sufferer Community Info: IP Addresses<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS can gather details about the compromised gadget, together with details about community interfaces and assigned IP addresses.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 107px;\" width=\"113\"><strong>Useful resource Improvement<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1587\/001\">T1587.001<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Develop Capabilities: Malware<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">FishMonger has developed customized malware for its operations, together with the SprySOCKS backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 73px;\">\n<td style=\"height: 181px; width: 107px;\" rowspan=\"4\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td style=\"height: 73px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1059\/003\">T1059.003<\/a><\/td>\n<td style=\"height: 73px; width: 148px;\" width=\"151\">Command and Scripting Interpreter: Home windows Command Shell<\/td>\n<td style=\"height: 73px; width: 302px;\" width=\"265\">SprySOCKS can launch an interactive <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span> command shell, which permits the attackers to execute instructions remotely on the compromised machine.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1053\/005\">T1053.005<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Scheduled Process\/Job: Scheduled Process<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS makes use of a scheduled process to execute its loader on system begin.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1569\/002\">T1569.002<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">System Providers: Service Execution<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS abuses system companies for each one-time and chronic execution.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1106\">T1106<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Native API<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">FishMonger has used Home windows APIs to execute code inside a sufferer\u2019s system.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 107px;\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1547\/012\">T1547.012<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Boot or Logon Autostart Execution: Print Processors<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">To attain persistence, FishMonger installs its malicious loader as a print processor.<\/td>\n<\/tr>\n<tr style=\"height: 112px;\">\n<td style=\"height: 112px; width: 107px;\" width=\"113\"><strong>Privilege Escalation<\/strong><\/td>\n<td style=\"height: 112px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1546\/012\">T1546.012<\/a><\/td>\n<td style=\"height: 112px; width: 148px;\" width=\"151\">Occasion Triggered Execution: Picture File Execution Choices Injection<\/td>\n<td style=\"height: 112px; width: 302px;\" width=\"265\">SprySOCKS can set up itself as a debugger for the Digital Disk Service by modifying <span style=\"font-family: courier new, courier, monospace;\">HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvds.exedebugger<\/span>.<\/td>\n<\/tr>\n<tr style=\"height: 90px;\">\n<td style=\"height: 687px; width: 107px;\" rowspan=\"12\" width=\"113\"><strong>Stealth<\/strong><\/td>\n<td style=\"height: 90px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1205\/002\">T1205.002<\/a><\/td>\n<td style=\"height: 90px; width: 148px;\" width=\"151\">Visitors Signaling: Socket Filters<\/td>\n<td style=\"height: 90px; width: 302px;\" width=\"265\">SprySOCKS makes use of the RawWNPF kernel driver to put in packet filters able to redirecting any inbound TCP site visitors to the configured native port if a particular magic worth is detected within the packet.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 55px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1134\/002\">T1134.002<\/a><\/td>\n<td style=\"height: 55px; width: 148px;\" width=\"151\">Entry Token Manipulation: Create Course of with Token<\/td>\n<td style=\"height: 55px; width: 302px;\" width=\"265\">FishMonger makes use of <span style=\"font-family: courier new, courier, monospace;\">CreateProcessAsUser<\/span> to execute a brand new course of with a token obtained from the print spooler service.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 55px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1622\">T1622<\/a><\/td>\n<td style=\"height: 55px; width: 148px;\" width=\"151\">Debugger Evasion<\/td>\n<td style=\"height: 55px; width: 302px;\" width=\"265\">SprySOCK\u2019s RawWNPF driver makes use of the <span style=\"font-family: courier new, courier, monospace;\">KdDisableDebugger<\/span> perform to disable the kernel debugger, if lively.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1140\">T1140<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Deobfuscate\/Decode Recordsdata or Info<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS loader decrypts the SprySOCKS backdoor from an encrypted file. Moreover, many of the strings within the SprySOCKS parts are encrypted.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1070\/004\">T1070.004<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Indicator Removing: File Deletion<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">The SprySOCKS loader removes unique recordsdata from the deployment listing after copying them and organising persistence.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1070\/009\">T1070.009<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Indicator Removing: Clear Persistence<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS loader removes a service registry worth related to the beforehand put in malicious minifilter driver after executing the driving force.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\/007\">T1027.007<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Obfuscated Recordsdata or Info: Dynamic API Decision<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS parts use dynamic API decision.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\/013\">T1027.013<\/a><\/td>\n<td style=\"height: 72px; width: 148px;\" width=\"151\">Obfuscated Recordsdata or Info: Encrypted\/Encoded File<\/td>\n<td style=\"height: 72px; width: 302px;\" width=\"265\">SprySOCKS parts are saved in an AES-encrypted file on the sufferer\u2019s drive.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 55px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1055\/013\">T1055.013<\/a><\/td>\n<td style=\"height: 55px; width: 148px;\" width=\"151\">Course of Injection: Course of Doppelg\u00e4nging<\/td>\n<td style=\"height: 55px; width: 302px;\" width=\"265\">The SprySOCKS loader makes use of course of doppelg\u00e4nging to inject the backdoor into the <span style=\"font-family: courier new, courier, monospace;\">svchost.exe<\/span> course of.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1014\">T1014<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Rootkit<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">FishMonger makes use of the RawWNPF kernel driver, which serves as a rootkit accountable for hiding the SprySOCKS malicious exercise.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1497\">T1497<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Virtualization\/Sandbox Evasion<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS makes use of a number of anti-emulation strategies to stop automated evaluation by emulators or sandboxes.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1574\/002\">T1574.002<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"113\">Hijack Execution Circulate: DLL Aspect-Loading<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"151\">FishMonger makes use of DLL side-loading to execute the SprySOCKS backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 107px;\" width=\"113\"><strong>Protection Impairment<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1562\/004\">T1562.004<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Disable or Modify System Firewall<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS provides a firewall rule permitting any inbound site visitors despatched to the backdoor\u2019s listening port.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 435px; width: 107px;\" rowspan=\"7\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1010\">T1010<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Software Window Discovery<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS retrieves the lively foreground window identify as part of its keylogging performance.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1083\">T1083<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">File and Listing Discovery<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS can acquire file and listing listings from the compromised system.<\/td>\n<\/tr>\n<tr style=\"height: 111px;\">\n<td style=\"height: 111px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1518\/001\">T1518.001<\/a><\/td>\n<td style=\"height: 111px; width: 148px;\" width=\"151\">Software program Discovery: Safety Software program Discovery<\/td>\n<td style=\"height: 111px; width: 302px;\" width=\"265\">SprySOCKS parts verify for the presence of safety and sandboxing product libraries (<span style=\"font-family: courier new, courier, monospace;\">snxhk.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxWrapper.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SxIn.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SXIn64.dll<\/span>, <span style=\"font-family: courier new, courier, monospace;\">SbieDll.dll<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">cmdvrt32.dll<\/span>) in their very own processes.<\/td>\n<\/tr>\n<tr style=\"height: 90px;\">\n<td style=\"height: 90px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1082\">T1082<\/a><\/td>\n<td style=\"height: 90px; width: 148px;\" width=\"151\">System Info Discovery<\/td>\n<td style=\"height: 90px; width: 302px;\" width=\"265\">SprySOCKS can gather details about the compromised gadget, together with: laptop identify, OS model, details about reminiscence and CPU, present privileges, system language and model, present time, and extra.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1614\/001\">T1614.001<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">System Location Discovery: System Language Discovery<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS can gather details about the compromised gadget, together with system language.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1007\">T1007<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">System Service Discovery<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS can enumerate all companies on the system.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1124\">T1124<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">System Time Discovery<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS can gather details about the compromised gadget, together with present system time.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 90px; width: 107px;\" rowspan=\"2\" width=\"113\"><strong>Assortment<\/strong><\/td>\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1056\/001\">T1056.001<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Enter Seize: Keylogging<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS implements a keylogger.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1115\">T1115<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Clipboard Knowledge<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS logs clipboard knowledge, together with the captured keystrokes, as part of its keylogging performance.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 289px; width: 107px;\" rowspan=\"6\" width=\"113\"><strong>Command and Management<\/strong><\/td>\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1132\/001\">T1132.001<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Knowledge Encoding: Commonplace Encoding<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS makes use of base64 encoding in its customized C&amp;C communication protocol.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1573\/001\">T1573.001<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Encrypted Channel: Symmetric Cryptography<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">SprySOCKS encrypts knowledge despatched to, and decrypts knowledge acquired from, the C&amp;C with 128-bit AES.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1008\">T1008<\/a><\/td>\n<td style=\"height: 54px; width: 148px;\" width=\"151\">Fallback Channels<\/td>\n<td style=\"height: 54px; width: 302px;\" width=\"265\">Along with the TCP communication channel, SprySOCKS can contact its C&amp;C utilizing UDP and WebSocket channels.<\/td>\n<\/tr>\n<tr style=\"height: 73px;\">\n<td style=\"height: 73px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1665\">T1665<\/a><\/td>\n<td style=\"height: 73px; width: 148px;\" width=\"151\">Conceal Infrastructure<\/td>\n<td style=\"height: 73px; width: 302px;\" width=\"265\">SprySOCKS\u2019s RawWNPF driver hides the backdoor\u2019s lively connections from being enumerated when utilizing community instruments akin to <span style=\"font-family: courier new, courier, monospace;\">netstat.exe<\/span>.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1571\">T1571<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Non-Commonplace Port<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS makes use of nonstandard ports to speak with the C&amp;C.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1095\">T1095<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Non-Software Layer Protocol<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS makes use of nonstandard protocols to speak with the C&amp;C.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px; width: 107px;\" width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td style=\"height: 36px; width: 70px;\" width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1041\">T1041<\/a><\/td>\n<td style=\"height: 36px; width: 148px;\" width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td style=\"height: 36px; width: 302px;\" width=\"265\">SprySOCKS can add varied recordsdata from the compromised system to the C&amp;C.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=fishmongers-arsenal-upgraded-sprysocks-windows&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have found two as-yet undocumented Home windows variants of SprySOCKS, a beforehand Linux-only backdoor reportedly utilized by FishMonger, the group believed to be operated by a Chinese language contractor named I\u2011SOON. Whereas we initially found the malware samples on VirusTotal, ESET telemetry exhibits actual exercise between 2023 and 2024, with a number of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16848,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[5104,9823,9824,2961,1059],"class_list":["post-16846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-arsenal","tag-fishmongers","tag-sprysocks","tag-upgraded","tag-windows"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16846"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16846\/revisions"}],"predecessor-version":[{"id":16847,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16846\/revisions\/16847"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/16848"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-07-19 01:37:39 UTC -->