- Chart Industries turns to NaaS to solve multicloud merger challenge
- Finally, there's a smart ring that rivals Oura at half the price and no subscription
- I tested this $10 keychain tool and keep finding new use cases - here's why it's irreplaceable
- “백도어 수용하느니 프랑스 떠날 것”··· 암호화 메시징 벤더 시그널의 배수진
- CISO가 ‘사고로 인한 피해'를 잘 보고하는 방법
FishMonger APT Group Linked to I-SOON in Espionage Campaigns
A Chinese cyber-espionage group known as FishMonger has been directly linked to I-SOON, a technology contractor recently indicted by the US Department of Justice (DOJ) for its role in global cyber-attacks.
The group, believed to be an operational arm of I-SOON, has targeted governments, NGOs and think tanks across Asia, Europe and the United States.
Operation FishMedley and Espionage Activities
FishMonger, also referred to as Earth Lusca, TAG-22, Aquatic Panda or Red Dev 10, has a history of cyber-espionage dating back to at least 2019.
It operates under the Winnti Group umbrella and primarily functions out of Chengdu, China. According to new findings by ESET, FishMonger was behind Operation FishMedley – a 2022 cyber campaign that compromised seven organizations worldwide.
Key verticals targeted in this campaign included:
- Government agencies in Taiwan and Thailand
- NGOs and charities operating in the US and Asia
- A Catholic organization in Hungary
- A geopolitical think tank in France
The group deployed sophisticated malware implants such as ShadowPad, Spyder and SodaMaster – tools commonly associated with China-aligned threat actors. These implants facilitated data theft, surveillance and network penetration.
ESET’s investigation into FishMonger’s activities revealed:
- Use of privileged network access, potentially via stolen domain administrator credentials
- Deployment of implants through compromised admin consoles and Impacket-based lateral movement
- Execution of reconnaissance commands and credential theft via LSASS process dumps
At one US-based NGO, attackers used the Impacket tool to escalate privileges, execute system commands and extract sensitive registry hives containing authentication data.
I-SOON “Most Wanted” by FBI
On March 5 2025, the DOJ unsealed an indictment against I-SOON employees and China’s Ministry of Public Security officers, charging them with conducting cyber-espionage between 2016 and 2023.
The FBI also added several individuals associated with I-SOON to its “most wanted” list. Independent research had previously identified I-SOON as the entity behind FishMonger’s operations, further corroborating the DOJ’s findings.
