FISHMONGER , a threat group linked to China, has utilized a new Windows variant of the SprySOCKS backdoor to infiltrate government targets in countries such as Honduras, Taiwan, Thailand, and Pakistan. This version employs kernel drivers, enhancing its stealth capabilities. The backdoor's architecture includes two types: WIN_DRV and WIN_PLUS, with the former using kernel drivers to conceal its activities. ESET's analysis indicates it has been active since 2023.
The exact method of initial access is undetermined, but it is suspected that misconfigured or outdated public-facing applications may have been exploited. ESET has provided indicators of compromise to assist defenders.