- The best anti-Prime Day deals 2025 from Best Buy, Walmart, & more: Top sales from Amazon's competition
- I've tested dozens of wearables and the Apple Watch 10 is one of my favorites - here's why
- Paddle Pays $5m to Settle Tech Support Scam Allegations
- Sony is giving away free 65-inch 4K TVs right now - here's how to qualify for the deal
- Continuous Threat Exposure Management (CTEM): The Future of Vulnerability Assessment
FishMonger APT Group Linked to I-SOON in Espionage Campaigns

A Chinese cyber-espionage group known as FishMonger has been directly linked to I-SOON, a technology contractor recently indicted by the US Department of Justice (DOJ) for its role in global cyber-attacks.
The group, believed to be an operational arm of I-SOON, has targeted governments, NGOs and think tanks across Asia, Europe and the United States.
Operation FishMedley and Espionage Activities
FishMonger, also referred to as Earth Lusca, TAG-22, Aquatic Panda or Red Dev 10, has a history of cyber-espionage dating back to at least 2019.
It operates under the Winnti Group umbrella and primarily functions out of Chengdu, China. According to new findings by ESET, FishMonger was behind Operation FishMedley – a 2022 cyber campaign that compromised seven organizations worldwide.
Key verticals targeted in this campaign included:
- Government agencies in Taiwan and Thailand
- NGOs and charities operating in the US and Asia
- A Catholic organization in Hungary
- A geopolitical think tank in France
The group deployed sophisticated malware implants such as ShadowPad, Spyder and SodaMaster – tools commonly associated with China-aligned threat actors. These implants facilitated data theft, surveillance and network penetration.
ESET’s investigation into FishMonger’s activities revealed:
- Use of privileged network access, potentially via stolen domain administrator credentials
- Deployment of implants through compromised admin consoles and Impacket-based lateral movement
- Execution of reconnaissance commands and credential theft via LSASS process dumps
At one US-based NGO, attackers used the Impacket tool to escalate privileges, execute system commands and extract sensitive registry hives containing authentication data.
I-SOON “Most Wanted” by FBI
On March 5 2025, the DOJ unsealed an indictment against I-SOON employees and China’s Ministry of Public Security officers, charging them with conducting cyber-espionage between 2016 and 2023.
The FBI also added several individuals associated with I-SOON to its “most wanted” list. Independent research had previously identified I-SOON as the entity behind FishMonger’s operations, further corroborating the DOJ’s findings.