A China-linked advanced persistent threat (APT) group, known as Aquatic Panda, has been linked to a global espionage campaign that occurred in 2022, targeting seven organizations across various countries.
These targeted entities include governments, Catholic charities, non-governmental organizations (NGOs), and think tanks in Taiwan, Hungary, Turkey, Thailand, France, and the United States. The campaign, which took place over a period of ten months between January and October 2022, has been codenamed Operation FishMedley by ESET, a Slovakian cybersecurity company.
According to security researcher Matthieu Faou, “Operators used implants, such as ShadowPad, SodaMaster, and Spyder, which are common or exclusive to China-aligned threat actors.” More information on this can be found in his analysis.
Aquatic Panda, also known as Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a Chinese cyber espionage group known to be active since at least 2019. The group is tracked by ESET under the name FishMonger.
Aquatic Panda is said to operate under the umbrella of the Winnti Group (also known as APT41, Barium, or Bronze Atlas) and is overseen by the Chinese contractor i-Soon. Some employees of i-Soon were charged by the U.S. Department of Justice (DoJ) for their involvement in multiple espionage campaigns between 2016 and 2023.
The group has been linked to a late 2019 campaign targeting universities in Hong Kong, utilizing ShadowPad and Winnti malware, an intrusion set tied to the Winnti Group.
The 2022 attacks involved the use of five different malware families, including a loader named ScatterBee, which drops ShadowPad, Spyder, SodaMaster, and RPipeCommander. The initial access vector used in the campaign is currently unknown.
According to ESET, “APT10 was the first group known to have access to [SodaMaster], but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups.”
RPipeCommander is a previously undocumented C++ implant used against a governmental organization in Thailand, functioning as a reverse shell capable of running commands using cmd.exe and gathering outputs.
As noted by Faou, “The group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described.”
