HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

China‑Linked FishMonger Deploys SprySOCKS Windows Variants with Kernel‑Level Stealth and UEFI Bootkit Hints

ESET discovered two new Windows variants of the SprySOCKS backdoor used by the China‑linked FishMonger APT group. The malware employs kernel drivers, DLL side‑loading, and Print Spooler abuse to hide its activity, with hints of a UEFI bootkit. For compliance teams this underscores the need for continuous control monitoring and evidence collection around privileged execution.

LiveThreat™ Intelligence · 📅 June 17, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

China‑Linked FishMonger Deploys SprySOCKS Windows Variants with Kernel‑Level Stealth and UEFI Bootkit Hints

What Happened — Researchers at ESET uncovered two previously undocumented Windows variants of the SprySOCKS backdoor, now used by the China‑linked APT group FishMonger (Winnti). The variants, WIN_DRV and WIN_PLUS, employ a custom kernel driver, DLL side‑loading, scheduled tasks, and the Print Spooler service to gain persistent, stealthy access on government systems in four countries. The code also contains hints of a UEFI‑level bootkit, suggesting a long‑term foothold beyond the operating system.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates how gaps in privileged‑execution controls (e.g., unsanitized driver loading, Print Spooler misuse) can bypass traditional user‑level monitoring – a scenario SOC 2 CC6.1 (System Operations) and CC7.1 (Change Management) are designed to detect and evidence.
  • Highlights the need for continuous evidence collection on low‑level system changes; Verisq’s Control Mapping capability can automatically capture driver‑install events and correlate them with audit controls.
  • Shows that a single undetected kernel component can invalidate the effectiveness of documented security policies, underscoring the importance of verifiable, real‑time control enforcement.

Who Is Affected – Government agencies and critical‑infrastructure entities in the four targeted nations; any organization that runs unpatched Windows endpoints with the Print Spooler service enabled.

Recommended Actions

  • Map the kernel‑driver loading and Print Spooler usage to SOC 2 controls (CC6.1, CC7.1) and ensure evidence is collected continuously.
  • Enforce strict least‑privilege policies for driver installation and disable unnecessary services (e.g., Print Spooler) where feasible.
  • Deploy endpoint detection that monitors kernel‑mode activity and scheduled‑task creation, and integrate logs into a centralized audit trail. Source: Security Affairs

Technical Notes – The attack chain begins with an unknown initial access vector, drops a batch script, creates a scheduled task, and uses DLL side‑loading to install two kernel drivers (RawWNPF and DriverLoader). The backdoor communicates over TCP, UDP, and WebSocket, with traffic diversion that hides the listening port. No specific CVE is cited, but the technique mirrors Print Spooler abuse (e.g., CVE‑2021‑34527). Source: [Security Affairs]

📰 Original Source
https://securityaffairs.com/193728/apt/china-linked-fishmonger-ports-sprysocks-to-windows-with-kernel-level-stealth-and-uefi-bootkit-hints.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →