EXECUTIVE SUMMARY
The campaign is attributed to FishMonger, a Chinese‐operated cyber‐espionage group linked to the Winnti umbrella and believed to be directed by a contractor known as I‐SOON. The threat manifests as a Windows backdoor that extends a previously Linux‐only toolset. Activity logs show victims in Honduras, Taiwan, Thailand and Pakistan, with a focus on government agencies. The operators appear to seek strategic information rather than ransom, using the compromised hosts to harvest documents, credentials and network maps for intelligence‐gathering purposes.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to FishMonger, a Chinese‐operated cyber‐espionage group linked to the Winnti umbrella and believed to be directed by a contractor known as I‐SOON. The threat manifests as a Windows backdoor that extends a previously Linux‐only toolset. Activity logs show victims in Honduras, Taiwan, Thailand and Pakistan, with a focus on government agencies. The operators appear to seek strategic information rather than ransom, using the compromised hosts to harvest documents, credentials and network maps for intelligence‐gathering purposes.[emaillocker id="1283"]
They also aim to maintain long‐term footholds for future operations. Initial access is achieved through compromised public‐facing servers, often exploiting unpatched or misconfigured applications to drop a malicious archive. The package uses DLL side‐loading, masquerading a signed printer service to launch a loader that copies files into the system fonts directory and registers a scheduled task. Once executed, the loader decrypts an encrypted container, injects shellcode into a svchost process via process‐doppelganging, and installs a kernel driver that hides files, processes and network sockets.
The backdoor then opens a TCP listener on a port, diverting inbound traffic through the driver and communicating with its server over TCP, UDP or WebSocket. Organizations should regard this threat as high risk because the kernel driver grants the attackers deep stealth, making traditional detection tools blind to the backdoor's network activity and file presence. Persistence mechanisms such as scheduled tasks and image‐file‐execution‐options injection enable the malware to survive reboots and evade simple removal. To mitigate exposure, entities must patch exposed services promptly, enforce strict application whitelisting, and monitor for unusual driver installations or hidden network sockets. Regular audits of scheduled tasks, verification of legitimate signed binaries, and maintaining offline backups further reduce the impact of a potential compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Persistence | T1546.003 | Event Triggered Execution | Windows Management Instrumentation Event Subscription |
| Persistence | T1546.012 | Event Triggered Execution | Image File Execution Options Injection |
| Privilege Escalation | T1134.001 | Access Token Manipulation | Token Impersonation/Theft |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Privilege Escalation | T1055.012 | Process Injection | Process Hollowing |
| Defense Evasion | T1014 | Rootkit | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1057 | Process Discovery | — |
| Discovery | T1083 | File and Directory Discovery | — |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The reports contain further technical details:
https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows
https://www.darkreading.com/threat-intelligence/sprysocks-windows-variant-kernel-drivers