Operation FishMedley targeting governments, NGOs, and think tanks
March 21, 2025, 2:46 p.m.
Description
ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The attackers used implants like ShadowPad, SodaMaster, and Spyder, which are common or exclusive to China-aligned threat actors. The operation involved sophisticated tactics including lateral movement, credential theft, and custom malware deployment. Seven victims were identified across various countries and sectors. The analysis provides technical details on the malware used, initial access methods, and command and control infrastructure.
Tags
Date
- Created: March 21, 2025, 10:33 a.m.
- Published: March 21, 2025, 10:33 a.m.
- Modified: March 21, 2025, 2:46 p.m.
Indicators
- 76d6b638a9a22dce8edab0145fcdb09adb986fb98222fab0127df60c2fed8112
- 2317d3e14ab214f06ae38a729524646971e21b398eda15cc9deb8b00b231abc3
- 1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f
- 5.188.230.47
- 61.238.103.165
- 168.100.10.136
- 162.33.178.23
- http://api.googleauthenticatoronline.com:443
- http://45.76.165.227/wECqKe529r.png
- nline.com
- junlper.com
- api.googleauthenticatoronline.com
Attack Patterns
- RPipeCommander
- DelfsCake
- dfls
- DARKTOWN
- SodaMaster - S0627
- POISONPLUG.SHADOW
- ShadowPad - S0596
- Spyder
- FishMonger
- T1556.002
- T1021.002
- T1583.001
- T1583.004
- T1087.001
- T1003.002
- T1003.001
- T1543.003
- T1007
- T1574.002
- T1555.003
- T1059.003
- T1059.001
- T1095
- T1016
- T1057
- T1140
- T1072
Additional Informations
- NGO
- Government
- Hungary
- Taiwan
- Thailand
- France
- United States of America