ESET uncovers global espionage campaign by internationally wanted hacker group ‘FishMonger’
IT security vendor ESET is today publishing a new analysis of FishMonger, a hacking group belonging to the infamous Chinese IT service provider I-SOON(https://www.zdf.de/nachrichten/politik/ausland/china-datenleck-i-soon-cyber-spionage-hacker-100.html). The cybercriminals specifically targeted governments, think tanks and NGOs on several continents in order to obtain data. These attacks have already been documented in ESET’s Threat Intelligence reports (https://www.eset.com/de/business/services/threat-intelligence/). A detailed report has been published by experts on the security blog welivesecurity.de (https://www.welivesecurity.com/de/eset-research/operation-fishmedley).
The US Department of Justice recently unsealed an indictment against I-SOON operatives. At the same time as the indictment, the FBI added the alleged perpetrators to its Most Wanted list. Among the cyberattacks revealed is a campaign from 2022 that ESET has named ‘Operation FishMedley’.
These organisations were targeted by FishMonger
ESET investigated numerous attacks in 2022. In the process, tools such as ShadowPad and SodaMaster were discovered that are very popular with Chinese hackers.
‘Our research has confirmed that FishMonger is part of I-SOON, a Chinese IT company based in Chengdu that came to prominence in 2024 through a massive document leak,’ explains ESET researcher Matthieu Faou, who analysed the attacks. ’We attribute a total of seven independent incidents to Operation FishMedley.’
The attacks were targeted at a wide range of organisations, including government agencies in Taiwan and Thailand, Catholic charities in Hungary and the US, a US-based NGO, a French geopolitical think tank and an unknown organisation in Turkey. The choice of targets suggests that the operation was aimed at the Chinese government’s strategic interests.
Tactics and tools used
In most cases, the attackers gained privileged access to their victims’ local networks, for example, by stealing domain administrator credentials. FishMonger’s arsenal includes ShadowPad and SodaMaster, as well as Spyder, a custom password exfiltration tool, a program for stealing data from Dropbox storages, the fscan network scanner, and a NetBIOS scanner.
Who is behind FishMonger?
FishMonger operates under the umbrella of the infamous Winnti group and most likely operates out of Chengdu. ESET published an analysis (https://www.welivesecurity.com/deutsch/2020/01/31/winnti-group-attackiert-universitaeten-in-hongkong/) of this group back in 2020, when it targeted universities in Hong Kong during the 2019 protests. FishMonger is known for its watering hole attacks. These are cyberattacks in which a website is infected with malicious code to infect other computers. In addition, the group uses a combination of advanced cyber tools such as Cobalt Strike, FunnySwitch, SprySOCKS and BIOPASS RAT. FishMonger is known by various other names, including Earth Lusca, TAG-22 and Aquatic Panda.
Further information can be found in the latest blog post ‘Operation FishMedley (https://www.welivesecurity.com/de/eset-research/operation-fishmedley)’ on welivesecurity.de.
