I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs

In a recent development, the U.S. Department of Justice unsealed an indictment against employees of the Chinese contractor I-SOON, revealing their involvement in multiple global espionage operations.

These operations are attributed to the FishMonger APT group, which is believed to be I-SOON’s operational arm.

The group, also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10, has been linked to a series of sophisticated cyberattacks targeting governments, NGOs, and think tanks across Asia, Europe, and the United States.

Operation FishMedley: A Global Espionage Campaign

Operation FishMedley, a campaign identified in 2022, involved the compromise of seven organizations.

The attackers employed implants such as ShadowPad, SodaMaster, and Spyder, which are commonly used by China-aligned threat actors.

ShadowPad, a modular backdoor, was used in conjunction with ScatterBee packing, while Spyder, a modular implant, was detected at several victim sites.

SodaMaster, a backdoor initially associated with APT10, was also identified, indicating potential sharing among multiple China-aligned groups.

During the campaign, attackers gained privileged access within targeted networks, often using compromised domain administrator credentials.

At one victim site, they deployed implants via an admin console, while at another, they used Impacket to deliver and laterally move malware.

The attackers conducted manual reconnaissance using tools like quser.exe and wmic.exe, and they dumped the LSASS process to obtain credentials.

According to the Report, they also saved registry hives to extract additional secrets.

The toolset used by FishMonger includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.

ShadowPad was configured to inject into Windows Media Player or svchost.exe, while Spyder used AES-CBC encryption with a hardcoded key.

SodaMaster loaders abused legitimate executables via DLL side-loading, implementing a password stealer for Firefox in some cases.

Legal and Technical Implications

The indictment by the U.S. Department of Justice marks a significant legal response to these espionage activities.

Technically, the campaign highlights the sophisticated tactics employed by FishMonger, including the use of watering-hole attacks and living-off-the-land binaries.

The group’s ability to operate under different names and adapt its toolset underscores the evolving nature of cyber threats from China-aligned actors.

As cybersecurity continues to be a critical concern for governments and organizations worldwide, understanding these operations is crucial for developing effective defense strategies.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free