Full Report
ESET researchers detail a global espionage operation by FishMonger, the APT group run by I‑SOON
Analysis Summary
# Threat Actor: FishMonger APT (Attributed to I-SOON)
## Attribution & Identity
**Primary Identification:** FishMonger APT group.
**Operator:** Believed to be operated by the Chinese contractor **I-SOON**, based in Chengdu, China.
**Associated Groups/Umbrellas:** Falls under the **Winnti Group** umbrella.
**Known Aliases:** Earth Lusca, TAG‑22, Aquatic Panda, Red Dev 10.
**Legal Action:** Employees indicted by the US DOJ on March 5th, 2025, for global espionage operations; added to the FBI’s "most wanted" list as Aquatic Panda.
## Activity Summary
FishMonger is associated with global espionage operations, frequently active since at least 2016. The summary focuses on **Operation FishMedley**, a campaign investigated in 2022 targeting governments, NGOs, and think tanks across Asia, Europe, and the United States. The group has a history of heavily targeting universities in Hong Kong during civic protests starting in June 2019. They are known to conduct watering-hole attacks. The DOJ indictment covers activities spanning from 2016 to 2023.
## Tactics, Techniques & Procedures
- **Initial Access:** Initial vectors were often successful enough to provide privileged access, such as **domain administrator credentials**. At one victim (D), access was gained via an admin console used to deploy implants.
- **Execution & Persistence:**
- Implants persist via a **Windows service** (SodaMaster loaders).
- Used **DLL Side-Loading** ([T1574.002]) where ShadowPad was loaded via `log.dll` side-loaded by a legitimate Bitdefender executable.
- **Defense Evasion:**
- Malware (ShadowPad, Spyder, SodaMaster) is **decrypted and loaded into memory** ([T1140]).
- **Credential Access:**
- Extraction of credentials from **Web Browsers/Password Stores** ([T1555.003]) (SodaMaster loaders extracting passwords from Firefox databases).
- Use of a **custom password filter DLL** to write passwords to disk or exfiltrate them ([T1556.002]).
- Dumping **LSASS memory** using `rundll32 C:\windows\system32\comsvcs.dll, MiniDump` ([T1003.001]).
- Dumping the **Security Account Manager (SAM) hive** using `reg save hklm\sam C:\users\public\music\sam.hive` ([T1003.002]).
- **Discovery:** Execution of standard reconnaissance commands: `net user` (Account Discovery [T1087.001]), `ipconfig /all` (System Network Configuration Discovery [T1016]), `tasklist /svc` (System Service Discovery [T1007]), and `tasklist /v` (Process Discovery [T1057]).
- **Lateral Movement:** Used **Impacket** to deploy malware across the local network via **SMB/Windows Admin Shares** ([T1021.002]).
- **Command and Control (C2):** ShadowPad communicates over **raw TCP and UDP** ([T1095]).
## Targeting
- **Sectors:** Governments, NGOs, think tanks, Catholic organizations, and universities.
- **Geography:** Global, specifically noted in **Asia, Europe, and the United States**. Identified victim locations include Taiwan, Hungary, Turkey, Thailand, and France.
- **Victims (Operation FishMedley 2022):** Seven organizations, including a governmental organization in Taiwan, a Catholic organization in Hungary, a governmental organization in Thailand, a Catholic charity in the US, an NGO active in Asia (US-based), and a geopolitical think tank in France.
## Tools & Infrastructure
- **Malware Families:** ShadowPad (some packed with ScatterBee), SodaMaster, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT. RPipeCommander was also noted.
- **Infrastructure:** Initial access often suggests attackers had privileged network access (possibly pre-established C2/backdoors), as initial vectors were not explicitly identified in all cases.
## Implications
FishMonger/I-SOON represents a highly sophisticated, state-sponsored espionage threat directly linked to the Chinese government through state contracting. Their targeting profile is geared towards geopolitical intelligence gathering, focusing on government entities, strategic NGOs, and policy organizations in rival nations. The use of advanced, custom, and shared China-aligned toolsets (like ShadowPad) combined with privilege escalation techniques (like admin credential compromise) indicates a mature and persistent adversary capable of deep intrusion. Legal action by the DOJ confirms high confidence in attribution.
## Mitigations
- Enhance network monitoring for suspicious activity indicative of known implants (ShadowPad, SodaMaster, Spyder).
- Review external telemetry for signs of backdoor usage consistent with known FishMonger/Winnti toolsets.
- Implement strict controls and network segregation around sensitive data held by Governmental organizations, NGOs, and Think Tanks.
- Harden security around high-privilege accounts (Domain Admins) and monitor for credential dumping activities (LSASS access, SAM hive manipulation).
- Investigate and block network traffic associated with raw TCP/UDP communications leveraged by ShadowPad C2.
- Review execution flows for DLL side-loading, specifically targeting legitimate executables being presented with attacker-controlled DLLs (e.g., Bitdefender processes loading malicious `log.dll`).