The US Department of Justice unsealed an indictment on March 5th, 2025, against employees of the Chinese contractor I‑SOON for their involvement in global espionage operations, including attacks attributed to the FishMonger APT group. These attacks targeted various organizations during Operation FishMedley in 2022, affecting governments, NGOs, and think tanks across Asia, Europe, and the United States.
The FishMonger APT group, believed to be operated by I‑SOON, falls under the Winnti Group umbrella and is likely based in Chengdu, China. Known by various aliases such as Earth Lusca and Aquatic Panda, FishMonger has a history of targeting universities in Hong Kong during civic protests. The group operates watering-hole attacks and uses a toolset that includes ShadowPad, Spyder, and Cobalt Strike.
In 2025, the US DOJ indicted I‑SOON employees and Ministry of Public Security officers for their involvement in espionage campaigns from 2016 to 2023. Victims of Operation FishMedley included organizations in Taiwan, Hungary, Turkey, Thailand, the United States, and France. The attackers used implants like ShadowPad, Spyder, and SodaMaster to compromise their targets.
Technical analysis revealed that the attackers gained privileged access within local networks, likely through compromised credentials. Lateral movement techniques involved using Impacket to gather information on other machines and install implants. ShadowPad, a modular backdoor supplied only to China-aligned threat actors, was used in Operation FishMedley with a version packed with ScatterBee. The attackers compromised web servers at victim organizations to serve as staging servers for their malware. It is unclear whether the attackers had interactive access to the machine, if another malware was running in the Firefox process, or if the victim was redirected to the download page through a watering-hole attack.
The log.dll file is side-loaded by an old Bitdefender executable (original name: BDReinit.exe) and loads ShadowPad from a file named log.dll.dat, which can be decrypted using scripts from PwC’s GitHub repository.
Although we did not recover the log.dll.dat from the victim’s machine, we found a fake Adobe Flash installer on VirusTotal with the same log.dll file. The ShadowPad payload configuration is detailed in Table 4.
Spyder, a backdoor often used by FishMonger, was detected at Victim D. It is a modular implant that was extensively analyzed by Dr.Web.
A Spyder loader was downloaded from a victim’s web server IP address and dropped to C:\Users\Public\task.exe approximately 18 hours after ShadowPad installation.
The loader decrypts the contents of the file c:\windows\temp\guid.dat using AES-CBC with a hardcoded key and injects the decoded content into itself. Unfortunately, the guid.dat file was not recovered.
SodaMaster, a backdoor documented by Kaspersky in 2021, was detected in memory. We found six different malicious DLLs abusing legitimate executables through DLL side-loading.
The loaders decrypt a hardcoded file using XOR with a specific key and inject the decrypted buffer into a suspended svchost.exe process.
RPipeCommander, a previously unknown implant, was captured at Victim D, likely loaded by Spyder. It is a reverse shell that accepts commands via a named pipe.
Additionally, the attackers used tools like a custom password filter in C:\Windows\system32\sasetup.dll to exfiltrate passwords and other data. Unfortunately, the functionality mentioned in this specific sample is not enabled, and there is no C&C server configured for it.
File Paths:
- C:\Windows\debug\svhost.tmp: Contains the fscan network scanner, which can be found on GitHub.
- C:\nb.exe: Includes nbtscan, a NetBIOS scanner.
- C:\Users\public\drop.zip: This file contains dbxcli, a tool written in Go for interacting with Dropbox. It seems to have been used for data exfiltration, although no information about the attackers’ account has been retrieved. Despite the .zip extension, this file is actually a CAB file. It was downloaded from http://45.76.165[.]227/wECqKe529r.png. Additionally, the hash (SHA-1: 2AD82FFA393937A2353096FE2A2209E0EBC1C9D7) suggests that dbxcli was compiled by the attackers, as it has a very low prevalence in the wild.
Conclusion:
This blog post sheds light on FishMonger’s global campaign against high-profile targets and their use of well-known implants like ShadowPad and SodaMaster, even long after their public disclosure. The group, identified as part of the Chinese company I-SOON, was indicted by the US DOJ in March 2025.For any questions regarding our research on WeLiveSecurity, feel free to reach out to us at threatintel@eset.com. ESET Research also provides private APT intelligence reports and data feeds. Visit the ESET Threat Intelligence page for more information.
Indicators of Compromise (IoCs):
A detailed list of IoCs and samples can be accessed in our GitHub repository.MITRE ATT&CK Techniques:
The table includes MITRE ATT&CK techniques used by FishMonger in their operations, such as resource development, execution, persistence, defense evasion, credential access, discovery, lateral movement, and command and control.Stay informed and vigilant against cyber threats. Please rewrite the sentence for me to assist you better.
![http://45.76.165[.]227/wECqKe529r.png](http://45.76.165[.]227/wECqKe529r.png){kind=link}