Full Report
The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations. These entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place
Analysis Summary
# Threat Actor: Aquatic Panda (FishMonger)
## Attribution & Identity
**Attribution:** China-linked Advanced Persistent Threat (APT) group.
**Aliases/Associated Groups:** Bronze University, Charcoal Typhoon, Earth Lusca, RedHotel. Tracked by ESET as **FishMonger**. Reportedly operates under the **Winnti Group** umbrella (also known as APT41, Barium, or Bronze Atlas). Associated with the Chinese contractor **i-Soon**.
## Activity Summary
Aquatic Panda was linked to a "global espionage campaign" codenamed **Operation FishMedley** by ESET, which ran for 10 months between January and October 2022. The campaign targeted seven organizations globally. The group is generally known to be active since at least 2019. They have also been retroactively attributed to a late 2019 campaign targeting universities in Hong Kong.
## Tactics, Techniques & Procedures
- **Malware Deployment:** Used five different malware families in the 2022 campaign: ScatterBee (a loader), ShadowPad, SodaMaster, and RPipeCommander (previously undocumented C++ implant).
- **Implant Reuse:** Known for reusing well-known implants like ShadowPad and SodaMaster long after they have been publicly documented.
- **RPipeCommander Functionality:** Deployed as a reverse shell capable of executing commands via `cmd.exe` and capturing outputs.
- **Initial Access:** The exact initial access vector for the 2022 campaign is not known.
- [Implied TTPs based on malware families, though specific ATT&CK IDs were not provided in the text.]
## Targeting
- **Sectors:** Governments, Catholic charities, Non-Governmental Organizations (NGOs), and Think Tanks.
- **Geography:** Taiwan, Hungary, Turkey, Thailand, France, and the United States.
- **Victims:** Seven specific organizations targeted during the 10-month campaign, including an unspecified governmental organization in Thailand where RPipeCommander was deployed.
## Tools & Infrastructure
- **Malware families used:** ScatterBee, ShadowPad, SodaMaster, Spyder, and RPipeCommander.
- **Infrastructure:** The article does not mention specific C2 infrastructure (domains or IPs).
## Implications
Aquatic Panda is engaged in sustained cyber espionage, targeting sensitive government and non-profit entities globally. Their continued use of established, powerful implants (like ShadowPad and SodaMaster) suggests operational security maturity and a focus on leveraging known, functional backdoor capabilities. Their association with the Winnti umbrella and i-Soon connects them strongly to state-sponsored Chinese espionage objectives.
## Mitigations
- Focus on monitoring for and detecting the usage of known, long-standing implants associated with China-aligned APTs, such as ShadowPad and SodaMaster.
- Implement robust detection mechanisms for the documented malware families, particularly the previously undocumented RPipeCommander reverse shell.
- Secure endpoints against initial access techniques that precede the deployment of loaders like ScatterBee.