- Many ways to use the date command on Linux
- Customer Experience is Ready to Engage at Cisco Live
- Arc reinvented browsing for the better - and that was apparently the problem
- Why I prefer this rugged Samsung phone over flagship models (and it looks just as good)
- New cybersecurity threats test the mettle of financial services CIOs
FishMonger APT Group Linked to I-SOON in Espionage Campaigns
A Chinese cyber-espionage group known as FishMonger has been directly linked to I-SOON, a technology contractor recently indicted by the US Department of Justice (DOJ) for its role in global cyber-attacks.
The group, believed to be an operational arm of I-SOON, has targeted governments, NGOs and think tanks across Asia, Europe and the United States.
Operation FishMedley and Espionage Activities
FishMonger, also referred to as Earth Lusca, TAG-22, Aquatic Panda or Red Dev 10, has a history of cyber-espionage dating back to at least 2019.
It operates under the Winnti Group umbrella and primarily functions out of Chengdu, China. According to new findings by ESET, FishMonger was behind Operation FishMedley – a 2022 cyber campaign that compromised seven organizations worldwide.
Key verticals targeted in this campaign included:
- Government agencies in Taiwan and Thailand
- NGOs and charities operating in the US and Asia
- A Catholic organization in Hungary
- A geopolitical think tank in France
The group deployed sophisticated malware implants such as ShadowPad, Spyder and SodaMaster – tools commonly associated with China-aligned threat actors. These implants facilitated data theft, surveillance and network penetration.
ESET’s investigation into FishMonger’s activities revealed:
- Use of privileged network access, potentially via stolen domain administrator credentials
- Deployment of implants through compromised admin consoles and Impacket-based lateral movement
- Execution of reconnaissance commands and credential theft via LSASS process dumps
At one US-based NGO, attackers used the Impacket tool to escalate privileges, execute system commands and extract sensitive registry hives containing authentication data.
I-SOON “Most Wanted” by FBI
On March 5 2025, the DOJ unsealed an indictment against I-SOON employees and China’s Ministry of Public Security officers, charging them with conducting cyber-espionage between 2016 and 2023.
The FBI also added several individuals associated with I-SOON to its “most wanted” list. Independent research had previously identified I-SOON as the entity behind FishMonger’s operations, further corroborating the DOJ’s findings.
