The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been linked to a “global espionage campaign” that took place in 2022 targeting seven organizations.
These entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place over a period of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET.
“Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors,” security researcher Matthieu Faou said in an analysis.
Aquatic Panda, also called Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a cyber espionage group from China that’s known to be active since at least 2019. The Slovakian cybersecurity company is tracking the hacking crew under the name FishMonger.
Said to be operating under the Winnti Group umbrella (aka APT41, Barium, or Bronze Atlas), the threat actor is also overseen by the Chinese contractor i-Soon, some of whose employees were charged by the U.S. Department of Justice (DoJ) earlier this month for their alleged involvement in multiple espionage campaigns from 2016 to 2023.
The adversarial collective has also been retroactively attributed to a late 2019 campaign targeting universities in Hong Kong using ShadowPad and Winnti malware, an intrusion set that was then tied to the Winnti Group.
The 2022 attacks are characterized by the use of five different malware families: A loader named ScatterBee that’s used to drop ShadowPad, Spyder, SodaMaster, and RPipeCommander. The exact initial access vector used in the campaign is not known at this stage.
“APT10 was the first group known to have access to [SodaMaster] but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups,” ESET said.
RPipeCommander is the name given to a previously undocumented C++ implant deployed against an unspecified governmental organization in Thailand. It functions as a reverse shell that’s capable of running commands using cmd.exe and gathering the outputs.
“The group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described,” Faou said.
