FishMonger APT’S Operation FishMedley

Operation FishMedley is a global espionage operation attributed to the FishMonger APT group, which is believed to be operated by I-SOON, a Chinese contractor. This operation primarily targeted governments, non-governmental organizations (NGOs), and think tanks across various regions, including Asia, Europe, and the United States. The campaign involved sophisticated attack techniques, including the use of well-known Chinese-aligned malware tools.

The campaign is particularly noteworthy as it aligns with a broader pattern of espionage efforts attributed to China, as highlighted by the U.S. Department of Justice indictment in March 2025. The indictment revealed connections between I-SOON employees and the FishMonger group, confirming their involvement in numerous global espionage operations spanning from 2016 to 2023.

Severity Level: High

Threat Overview:

• Threat Actor: The FishMonger group is believed to be operated by I-SOON, a Chinese contractor. It falls under the umbrella of the Winnti Group and is known for its espionage campaigns targeting high-profile entities. Other aliases for FishMonger include Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10.
• Targets: The campaign predominantly targeted governments, NGOs, and think tanks, focusing on organizations that had significant geopolitical and economic interests.
• Initial Access and Persistence: Attackers typically gained initial access through privileged accounts and escalated their privileges using tools like Impacket and Cobalt Strike. Once inside the network, they deployed implants to maintain persistence.
• Credential Dumping: The group used various techniques to dump credentials, including LSASS memory dumps, SAM dumps, and the Windows Security Account Manager (SAM). They also utilized password-stealing DLLs to exfiltrate login credentials.
• The FishMonger group employed multiple malware implants such as ShadowPad, SodaMaster, Spyder, and RPipeCommander. These tools were used for data exfiltration, privilege escalation, credential dumping, and maintaining long-term persistence within compromised networks.

Recommendations:

1. Enforce MFA on all privileged accounts and critical systems to prevent unauthorized access, even if credentials are compromised.
2. Use solutions like Privileged Access Management (PAM) to limit the scope and control over privileged accounts.
3. Implement frequent password rotations for critical system accounts and ensure that domain administrator and root credentials are unique and highly protected.
4. Use EDR solutions to detect abnormal behaviors on endpoints such as credential dumping, LSASS memory dumping, or process injection.
5. Implement strong application whitelisting and file integrity monitoring to block DLL side-loading attacks like those used by ShadowPad and SodaMaster.
6. Ensure that fileless malware and hidden executables like sasetup.dll or svhost.tmp are identified and quarantined.
7. Ensure that remote services such as RDP, VPNs, and SMB are secured through strong authentication mechanisms, encrypted connections, and strict access controls.
8. Ensure that all systems, including operating systems, applications, and network devices, are regularly patched to protect against known vulnerabilities exploited by threat actors like FishMonger.
9. Regularly train employees on phishing, social engineering, and other attack vectors that could lead to initial access in campaigns like FishMedley.
10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/85c2d49814d8fa32f33a145866f39e3159ad204a6fd0f5ed37ec3c70b52c387f/iocs

Source:

• https://www.welivesecurity.com/en/eset-research/operation-fishmedley/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.