On March 5th, 2025, the US Department of Justice made a significant announcement, unsealing an indictment against employees of the Chinese contractor I‑SOON for their involvement in various global espionage operations. The indictment revealed the employees’ connection to multiple attacks that were previously linked to the FishMonger APT group, which is known to be the operational arm of I‑SOON. The attacks include the compromise of seven organizations identified in a 2022 campaign called Operation FishMedley.
Operation FishMedley targeted various sectors such as governments, NGOs, and think tanks across Asia, Europe, and the United States. The attackers used specific implants like ShadowPad, SodaMaster, and Spyder, which are commonly associated with threat actors aligned with China. The clarity of the attribution of Operation FishMedley to the FishMonger APT group remains strong, showcasing the group’s consistent activity in carrying out espionage operations.
The FishMonger APT group, believed to be operated by the Chinese contractor I‑SOON, falls under the Winnti Group umbrella and is suspected to be based in Chengdu, China. It is also known by other names such as Earth Lusca, TAG‑22, Aquatic Panda, or Red Dev 10. FishMonger has a history of conducting watering-hole attacks as reported by Trend Micro. Their toolset includes a variety of malicious software like ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
The US DOJ’s indictment shed light on the malicious activities conducted by FishMonger under the umbrella of I‑SOON, highlighting the intricate web of cyber espionage orchestrated by these entities from 2016 to 2023. The FBI’s addition of the indicted individuals to the “most wanted” list signifies the gravity of the situation and the urgency in bringing these perpetrators to justice.
In the technical analysis of Operation FishMedley, the blogpost provided detailed insights into the methods and tools used by the attackers. From the initial access points to lateral movements within the compromised networks, the analysis delved into the intricate processes employed by FishMonger operatives. The utilization of implants like ShadowPad, Spyder, SodaMaster, and the newly discovered RPipeCommander showcased the group’s sophistication in executing their malicious activities.
The analysis also highlighted the persistence and evasion techniques used by FishMonger, from leveraging Windows services for persistence to hijacking execution flows through DLL side-loading. The attackers also demonstrated their ability to gather sensitive information by extracting passwords from web browsers and utilizing custom password filters to compromise authentication processes.
Furthermore, the blogpost provided a comprehensive breakdown of the indicators of compromise (IoCs) and detailed the network infrastructure used by FishMonger during Operation FishMedley. The MITRE ATT&CK techniques employed by the group were outlined, showing the diverse tactics and methodologies utilized by the threat actors to achieve their nefarious goals.
Overall, the unfolding of events in the US DOJ’s indictment against employees of I‑SOON and the technical analysis of Operation FishMedley underscore the persistent threat posed by sophisticated cyber espionage groups like FishMonger. The collaboration between government agencies and cybersecurity researchers is crucial in combating such threats and safeguarding critical infrastructure and sensitive information on a global scale.