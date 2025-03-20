A Chinese cyber-espionage group known as FishMonger has been directly linked to I-SOON, a technology contractor recently indicted by the US Department of Justice (DOJ) for its role in global cyber-attacks.

The group, believed to be an operational arm of I-SOON, has targeted governments, NGOs and think tanks across Asia, Europe and the United States.

Operation FishMedley and Espionage Activities

FishMonger, also referred to as Earth Lusca, TAG-22, Aquatic Panda or Red Dev 10, has a history of cyber-espionage dating back to at least 2019.

It operates under the Winnti Group umbrella and primarily functions out of Chengdu, China. According to new findings by ESET, FishMonger was behind Operation FishMedley – a 2022 cyber campaign that compromised seven organizations worldwide.

Key verticals targeted in this campaign included:

Government agencies in Taiwan and Thailand

NGOs and charities operating in the US and Asia

A Catholic organization in Hungary

A geopolitical think tank in France

The group deployed sophisticated malware implants such as ShadowPad, Spyder and SodaMaster – tools commonly associated with China-aligned threat actors. These implants facilitated data theft, surveillance and network penetration.

Read more on Chinese advanced persistent threats (APTs): Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds

ESET’s investigation into FishMonger’s activities revealed:

Use of privileged network access, potentially via stolen domain administrator credentials

Deployment of implants through compromised admin consoles and Impacket-based lateral movement

Execution of reconnaissance commands and credential theft via LSASS process dumps

At one US-based NGO, attackers used the Impacket tool to escalate privileges, execute system commands and extract sensitive registry hives containing authentication data.

I-SOON “Most Wanted” by FBI

On March 5 2025, the DOJ unsealed an indictment against I-SOON employees and China’s Ministry of Public Security officers, charging them with conducting cyber-espionage between 2016 and 2023.

The FBI also added several individuals associated with I-SOON to its “most wanted” list. Independent research had previously identified I-SOON as the entity behind FishMonger’s operations, further corroborating the DOJ’s findings.