Operation FishMedley
Summary:
On March 5, 2025, the U.S. Department of Justice unsealed an indictment against employees of the Chinese contractor I‑SOON, revealing their involvement in global cyber espionage campaigns. The indictment detailed a series of attacks attributed to I‑SOON’s operational arm, the FishMonger APT group, including a 2022 cyber campaign known as Operation FishMedley, which targeted governments, NGOs, and think tanks across Asia, Europe, and the United States. The FBI subsequently placed those named in the indictment on its "Most Wanted" list. This confirmed previous intelligence linking FishMonger to multiple cyber intrusions that leveraged well-known malware families such as ShadowPad, SodaMaster, and Spyder, commonly associated with China-aligned threat actors. FishMonger, also known as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10, operates under the Winnti Group umbrella and has been linked to espionage activities dating back years, including a 2019 campaign targeting Hong Kong universities during civic protests. The group, believed to be operating out of Chengdu, China, where I‑SOON’s office was located, is known for conducting watering-hole attacks and using a sophisticated toolset that includes Cobalt Strike, FunnySwitch, SprySOCKS, and BIOPASS RAT.
Operation FishMedley involved seven documented intrusions, where FishMonger attackers used various implants to compromise government agencies, NGOs, and geopolitical think tanks. The group’s methods included gaining privileged access within networks, stealing credentials, and deploying malware through lateral movement techniques such as Impacket. Key tools included ShadowPad, a backdoor sold exclusively to China-aligned APTs; Spyder, a modular implant previously analyzed by Dr.Web; and SodaMaster, historically linked to APT10 but now seemingly shared among Chinese cyber actors. Additionally, a newly identified tool, RPipeCommander, functioned as a reverse shell for executing commands within victim environments.
Security Officer Comments:
Through independent research, analysts confirmed that FishMonger is directly operated by I‑SOON, a Chinese contractor that suffered a document leak in 2024, exposing its role in state-sponsored cyber operations. This finding aligns with the DOJ indictment, which named I‑SOON employees and officers from China’s Ministry of Public Security as key figures in the espionage campaign. Despite widespread reporting on the use of ShadowPad, SodaMaster, and Spyder, FishMonger continues to reuse well-documented malware, indicating either a lack of concern for operational security or confidence in the continued effectiveness of these tools. The indictment underscores the long-term threat posed by China-aligned cyber actors and highlights their persistent focus on infiltrating critical organizations worldwide. By exposing these operations and naming those involved, the DOJ’s actions signal an increasing international effort to counter China-aligned cyber espionage.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
Link(s):
https://www.welivesecurity.com/en/eset-research/operation-fishmedley/
On March 5, 2025, the U.S. Department of Justice unsealed an indictment against employees of the Chinese contractor I‑SOON, revealing their involvement in global cyber espionage campaigns. The indictment detailed a series of attacks attributed to I‑SOON’s operational arm, the FishMonger APT group, including a 2022 cyber campaign known as Operation FishMedley, which targeted governments, NGOs, and think tanks across Asia, Europe, and the United States. The FBI subsequently placed those named in the indictment on its "Most Wanted" list. This confirmed previous intelligence linking FishMonger to multiple cyber intrusions that leveraged well-known malware families such as ShadowPad, SodaMaster, and Spyder, commonly associated with China-aligned threat actors. FishMonger, also known as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10, operates under the Winnti Group umbrella and has been linked to espionage activities dating back years, including a 2019 campaign targeting Hong Kong universities during civic protests. The group, believed to be operating out of Chengdu, China, where I‑SOON’s office was located, is known for conducting watering-hole attacks and using a sophisticated toolset that includes Cobalt Strike, FunnySwitch, SprySOCKS, and BIOPASS RAT.
Operation FishMedley involved seven documented intrusions, where FishMonger attackers used various implants to compromise government agencies, NGOs, and geopolitical think tanks. The group’s methods included gaining privileged access within networks, stealing credentials, and deploying malware through lateral movement techniques such as Impacket. Key tools included ShadowPad, a backdoor sold exclusively to China-aligned APTs; Spyder, a modular implant previously analyzed by Dr.Web; and SodaMaster, historically linked to APT10 but now seemingly shared among Chinese cyber actors. Additionally, a newly identified tool, RPipeCommander, functioned as a reverse shell for executing commands within victim environments.
Security Officer Comments:
Through independent research, analysts confirmed that FishMonger is directly operated by I‑SOON, a Chinese contractor that suffered a document leak in 2024, exposing its role in state-sponsored cyber operations. This finding aligns with the DOJ indictment, which named I‑SOON employees and officers from China’s Ministry of Public Security as key figures in the espionage campaign. Despite widespread reporting on the use of ShadowPad, SodaMaster, and Spyder, FishMonger continues to reuse well-documented malware, indicating either a lack of concern for operational security or confidence in the continued effectiveness of these tools. The indictment underscores the long-term threat posed by China-aligned cyber actors and highlights their persistent focus on infiltrating critical organizations worldwide. By exposing these operations and naming those involved, the DOJ’s actions signal an increasing international effort to counter China-aligned cyber espionage.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Link(s):
https://www.welivesecurity.com/en/eset-research/operation-fishmedley/