logo

SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection

ID: a2e11443-dc67-580e-b47d-55f677c49d71

STIX ID: report--a2e11443-dc67-580e-b47d-55f677c49d71

Feed Name: Dark Reading

Threat Score
85/100

Date Published: 2026-06-16

Date Updated: 2026-06-17

Author: Rob Wright

...
...

**Executive summary:** ESET researchers identified a previously undocumented Windows variant of the SprySOCKS backdoor used by the FishMonger APT, which leverages two malicious kernel drivers (DriverLoader/fsdiskbit.sys and RawWNPF) to load the backdoor into memory and hide processes/files by hooking NtQuerySystemInformation; the campaign targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan in 2023–2024, and ESET released IoCs and mitigations including enabling HVCI.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.