Date: 06/17/2026
Severity: High
Summary
Researchers found two new Windows variants of the SprySOCKS backdoor, previously known only on Linux. Linked to the Chinese group FishMonger (I-SOON), it active targeted government entities between 2023 and 2024. Telemetry confirmed victims across Honduras, Taiwan, Thailand, and Pakistan. The variants, WIN_DRV and WIN_PLUS, support over 30 commands across TCP, UDP, and WebSockets. WIN_DRV uses kernel drivers to hide itself and divert network traffic to mask its listening port. Evidence suggests some attacks may have deployed a UEFI bootkit exploiting CVE-2023-24932.
Indicators of Compromise (IOC) List
IP Address : | 207.148.78.36 |
Hash : | 955BFC3DCC867256F9F46A606DEB0779FA3416D8
44DC4A08C5EB0972C8E18B0E01284E06F09006BB
AB87B29B6F79487C75CA08D102E79001E536F083
6490B8E4AADE25A3EE2DA9A47F312DB2122470BC
E7484C24B88A1A2407A8F09D734F9A993670285B
621D1952839BE4B0A1B0E66E87BCE5062CA368ED
2457EED2AB28E37741F10914EF929DAD2C8079D4
D2C706B1EAF662BF0CE124B5032F73ED84BDA24A
5F3B87CEF56683D9A9E19186E0FD0D8019B559C4
C793CA31E3F6628B5C8986146953BF66232E9A30
037DB2445F3D72388CB2CF8510563148E5A184BE
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("207.148.78.36") or srcipaddress IN ("207.148.78.36") |
Detection Query 2 : | sha1hash IN ("E7484C24B88A1A2407A8F09D734F9A993670285B","037DB2445F3D72388CB2CF8510563148E5A184BE","44DC4A08C5EB0972C8E18B0E01284E06F09006BB","955BFC3DCC867256F9F46A606DEB0779FA3416D8","AB87B29B6F79487C75CA08D102E79001E536F083","6490B8E4AADE25A3EE2DA9A47F312DB2122470BC","621D1952839BE4B0A1B0E66E87BCE5062CA368ED","2457EED2AB28E37741F10914EF929DAD2C8079D4","D2C706B1EAF662BF0CE124B5032F73ED84BDA24A","5F3B87CEF56683D9A9E19186E0FD0D8019B559C4","C793CA31E3F6628B5C8986146953BF66232E9A30")
|
Reference:
https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/