ESET identified Windows variants of the SprySOCKS backdoor in June 2026, breaking a long-standing classification. Until now, the malware—first seen in 2023 as a tool of the Earth Lusca/FishMonger group—was known exclusively as a Linux threat. Its lineage traces a rare cross-platform arc: from the open-source Windows backdoor Trochilus, to a Linux fork via the mandibule ELF injector, and injector, and now back to Windows in a more capable form than the original.
- ESET documented two Windows variants of SprySOCKS, previously considered non-existent; the backdoor had been classified as Linux-only since 2023
- The Windows variants retain the core architecture of their predecessor—C&C message format, encryption keys and algorithms, HP-Socket framework—but add a kernel rootkit to hide connections, processes, files, and registry keys
- Targeting hit government organizations in Honduras, Taiwan, Thailand, and Pakistan during 2023–2024
- A C&C IP address from the Windows campaign belongs to the same range as a SprySOCKS Linux delivery server used by FishMonger in 2023
From Trochilus Lineage to Windows Platform
SprySOCKS' genealogy follows a chain of adaptations unusual for their visibility. The starting point is Trochilus, an open-source backdoor developed for Windows. In 2023, Earth Lusca/FishMonger forked it to Linux—SprySOCKS—via the mandibule ELF injector, reversing the original porting direction. Three years later, the group re-architected it for Windows, preserving structural elements that make the lineage recognizable: the C&C message format, encryption keys, algorithms, and the HP-Socket network communication framework.
ESET documents this technical continuity as intentional, not accidental. Cross-platform component reuse cuts development costs and leverages proven C&C infrastructure, but also exposes the group to detection via recognizable patterns. The decision to keep the cryptographic subsystem and message format unchanged indicates FishMonger prioritized interoperability with the existing Linux fleet over obfuscating the lineage.
Kernel Rootkit and New Stealth Capabilities
The Windows variant introduces a kernel-level driver that alters OS visibility across multiple planes simultaneously. According to ESET documentation reported by Bank Info Security, the rootkit hides network connections, running processes, files on disk, and registry keys. Complementing this stealth is TCP traffic diversion: commands from the C&C infrastructure reach the backdoor through a random TCP port on the victim's device, without the real listening port appearing in monitored network traffic.
"SprySocks utilizes this driver to hide the malware's network connections, processes, files, and registry keys and enables TCP traffic diversion, allowing the malware operators to send commands to the backdoor through a random TCP port on the victim's device without exposing the backdoor's real listening port in the network traffic" — ESET, reported by Bank Info Security
The Windows variants expand the communication protocol beyond the Linux predecessor's TCP to support UDP and WebSocket. The C&C command set exceeds 30 functions, with additions for system information gathering, process enumeration, service management, and file creation and transfer. The modularity suggests the backdoor is designed for extended post-compromise phases, not rapid initial access.
Government Targeting and Geographic Scope
Documented campaigns targeted governments in Honduras, Taiwan, Thailand, and Pakistan across 2023–2024. The geographic spread covers Central America and South/Southeast Asia, with a concentration on administrative bodies and likely dependent critical infrastructure. The Windows campaign timeframe partially overlaps the documented Linux presence, but it is unclear whether the two platforms were deployed in parallel or sequentially.
The infrastructural link between Linux and Windows campaigns is reinforced by a specific data point: the sole C&C IP identified in the Windows campaign belongs to the same IP range as a SprySOCKS Linux delivery server used by FishMonger in 2023. This overlap, while not proof of single management, reduces the space for coincidence and supports attribution to a single operator.
Possible Role of CVE-2023-24932 and Telemetry Limits
A significant uncertainty concerns the persistence mechanism. ESET telemetry suggests some attacks may have involved a UEFI bootkit, indicating the threat actor could be exploiting CVE-2023-24932. The vulnerability, rated CVSS 6.7 MEDIUM by NVD [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H], allows Secure Boot bypass. However, the dossier does not confirm exploitation occurred; ESET's original conditional phrasing is preserved. If verified, the bootkit hypothesis would elevate persistence beyond the OS, rendering software reinstallation irrelevant for removal.
The initial compromise vector in the Windows campaigns is unspecified. For the Linux predecessor, exploits against Fortinet, GitLab, Exchange, and Zimbra were known; it is undocumented whether the same or other vectors opened access in the Windows infections.
Why It Matters
The dossier does not specify remedial measures taken by identified victims, nor does it document public indicators of compromise (IoCs) beyond the C&C IP in the known range. It is unclear whether the 2024 legal action against iSoon executives affected FishMonger operations; ESET researcher Martin Smolár explicitly acknowledges this uncertainty. The original ESET report is not directly accessible; technical details come from Bank Info Security's journalistic reporting, which serves as the primary source for the Windows variants.
It is unspecified whether the Windows variants carry versioning 1.1 or 1.3.6 like the Linux version, or a different numbering scheme. The exact nature of data exposed or collected in the government infections is not detailed. The dossier also does not document whether the malware employed anti-analysis techniques or if the post-exploitation phase included identified lateral movement.
Open-Source Legacy as APT Trend
The SprySOCKS case illustrates an underappreciated dynamic in offensive code reuse: derivation from open-source projects is not terminal. Trochilus spawned a Linux fork, which in turn spawned a Windows return with capabilities exceeding the original. This cycle—Windows→Linux→Windows, with enhancement at each iteration—challenges threat intelligence models built on rigid platform profiles. The "Linux-only" classification rendered SprySOCKS invisible to Windows defenses for roughly three years, an interval the group exploited for parallel development.
The choice to preserve C&C infrastructure and cryptographic parameters across the platform jump indicates FishMonger manages the backdoor as an evolving product, not a collection of isolated campaigns. The kernel rootkit and traffic diversion represent an investment in stealth exceeding the typical threshold for opportunistic groups, consistent with the documented government targeting.
Geographic expansion into Central America—Honduras was not mentioned in prior Linux campaigns—suggests the group expanded its operational perimeter between 2023 and 2024, or that visibility into prior campaigns was partial. In either case, the 2026 discovery redefines the attack surface government organizations must consider.
FAQ
What exactly is the Trochilus-SprySOCKS "lineage chain"?
Trochilus is an open-source backdoor originally for Windows. Earth Lusca/FishMonger created a Linux fork in 2023—SprySOCKS—using the mandibule injector. In 2026, a Windows variant of SprySOCKS emerged that retains elements of the original architecture but adds a kernel rootkit. The sequence is: Trochilus (Windows, open-source) → SprySOCKS Linux (fork) → SprySOCKS Windows (return with enhancement).
Why is the Windows return significant if Trochilus was already Windows?
Because SprySOCKS Windows is not a reinstallation of Trochilus, but a port of the Linux variant with technical additions developed in the interim—the kernel rootkit, new communication protocols, and traffic diversion. The group invested in cross-platform reuse rather than maintaining two independent code streams, reducing costs but expanding coverage.
What are the concrete limits of attribution to FishMonger?
Attribution rests on infrastructural overlap (C&C IP range) and technical continuity. It is not documented that FishMonger directly controls the identified servers, nor that the group is formally linked to the iSoon operations under US investigation in 2024. The dossier also does not confirm whether the "believed to be operated by" a Chinese contractor link applies to the specific Windows campaigns.
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2025-53770
- https://nvd.nist.gov/vuln/detail/CVE-2026-41940
- https://nvd.nist.gov/vuln/detail/CVE-2025-33053
- https://thehackernews.com/2023/09/earth-luscas-new-sprysocks-linux.html
- https://www.bankinfosecurity.com/chinese-hacking-firm-upgrades-new-windows-backdoor-a-31977
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
Information is based on the cited source and current as of publication.