"Operation FishMedley" Ties I-SOON to 2022 Espionage Campaign

Unveiling a cyberespionage campaign attributed to the FishMonger APT group—also tracked as Charcoal Typhoon, TAG‑22, and Aquatic Panda—was examined in a report from ESET. The group is identified as the "operational arm" of the Chinese contractor I‑SOON and falls under the broader Winnti Group umbrella. ESET refers to this specific campaign as "Operation FishMedley," which includes the compromise of seven organizations during 2022. Victims spanned government agencies, religious institutions, NGOs, and think tanks across Asia, Europe, and the United States. Malware families linked to these intrusions include ShadowPad, SodaMaster, Spyder, RPipeCommander, and others, reflecting the group’s access to a wide toolset commonly attributed to Chinese state-aligned actors. Notably, implants were customized per victim: ShadowPad was deployed to targets A, D, and F, while SodaMaster appeared in five of the seven breaches. Spyder and RPipeCommander were observed at victim D.

In reviewing intrusions, the means to obtain initial access are undetermined, with evidence of activity through compromised credentials. ESET reports: "We were unable to identify the initial compromise vectors. For most cases, the attackers seemed to have had privileged access inside the local network, such as domain administrator credentials." In one instance, a compromised administrative console was used to propagate implants, while another showed use of Impacket to facilitate lateral movement. Post-compromise activity included reconnaissance using native Windows binaries such as "quser.exe," "wmic.exe," "ipconfig.exe," "net," and "tasklist." ESET observes, “it is likely that the attackers executed quser.exe to see whether other users or admins were also logged in, meaning privileged accesses were present in LSASS.” Credential access techniques involved dumping LSASS memory via "comsvcs.dll" with PowerShell, and exporting the SAM and SYSTEM hives using registry commands, "reg save." PowerShell was also utilized for payload downloads, including DLLs that were later side-loaded. In some cases, downloads were initiated via Firefox, though ESET could not confirm whether this was done interactively or by another process.

Malware analysis provides further insight into FishMonger’s capabilities. ShadowPad was configured to persist as a service named "MyTest2," with an AutoRun registry key and targeted injection into "wmplayer.exe" or "svchost.exe." Spyder, dropped as "task.exe" in the Public directory, decrypted shellcode from a file stored in %TEMP% and injected it into its own process. SodaMaster was deployed through side-loaded DLLs, which decrypted payloads from disk and injected them into suspended "svchost.exe" processes using "CreateRemoteThread" or "NtCreateThreadEx." In several instances, these loaders also featured capabilities to read the SQLite database for Firefox. Another tool, RPipeCommander, created a named pipe for interacting with a reverse shell, issuing commands through "cmd.exe." Additional utilities included a password filter, internal scanning tools, and Dropbox command-line clients for potential data exfiltration.

The high-profile nature of this threat group warrants continued tracking, as evident by the release of "Wanted by the FBI" notices for I‑SOON employees linked to the operation. ESET analysis concludes, “We also showed that the group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described. Finally, we have independently confirmed that FishMonger is a team that is part of the Chinese company I‑SOON,” reported by ESET senior researcher Matthieu Faou.