In a significant development, ESET researchers have detailed a global espionage operation, dubbed Operation FishMedley, attributed to the FishMonger APT group, which is linked to the Chinese contractor I-SOON.
This operation targeted governments, NGOs, and think tanks across Asia, Europe, and the United States in 2022.
The revelation comes on the heels of a US Department of Justice indictment against I-SOON employees and Chinese Ministry of Public Security officers for their involvement in multiple espionage campaigns from 2016 to 2023.
Operation FishMedley: Technical Insights
Operation FishMedley involved the use of sophisticated implants such as ShadowPad, SodaMaster, and Spyder, which are commonly associated with China-aligned threat actors.
ShadowPad, a modular backdoor, was used in a version packed with ScatterBee.
At one of the victim organizations, the attackers compromised a web server to stage their malware, highlighting their ability to adapt and utilize existing infrastructure for their operations.
Spyder, another modular implant, was detected alongside ShadowPad in some cases, with its loader decrypting content using AES-CBC.
SodaMaster, a backdoor previously linked to APT10, was also used, indicating a possible sharing of tools among China-aligned groups.
The attackers employed various tactics to gain and maintain access.
They used Impacket to move laterally within networks, gathering information and installing implants.
At one victim site, they dumped the Local Security Authority Subsystem Service (LSASS) process to obtain credentials, a technique often used by sophisticated threat actors.
Additionally, they utilized a custom password filter to potentially exfiltrate passwords, though this functionality was not enabled in the observed samples.
Attribution and Implications
ESET researchers independently confirmed that FishMonger is an espionage team operated by I-SOON, a Chinese contractor based in Chengdu.
This attribution aligns with the DOJ’s indictment, which highlights I-SOON’s involvement in global espionage operations.
The use of well-known implants like ShadowPad and SodaMaster suggests that FishMonger is not hesitant to reuse tools even after they have been publicly disclosed.
This campaign underscores the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.
