SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection
ID: a2e11443-dc67-580e-b47d-55f677c49d71
STIX ID: report--a2e11443-dc67-580e-b47d-55f677c49d71
Feed Name: Dark Reading
**Executive summary:** ESET researchers identified a previously undocumented Windows variant of the SprySOCKS backdoor used by the FishMonger APT, which leverages two malicious kernel drivers (DriverLoader/fsdiskbit.sys and RawWNPF) to load the backdoor into memory and hide processes/files by hooking NtQuerySystemInformation; the campaign targeted government organizations in Honduras, Taiwan, Thailand, and Pakistan in 2023–2024, and ESET released IoCs and mitigations including enabling HVCI.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
