Cybersecurity firm ESET has uncovered a cyberespionage campaign, Operation FishMedley, which was conducted in 2022 by the operational arm of Chinese cybersecurity firm I-Soon and targeted seven organizations across Taiwan, Hungary, Turkey, Thailand, the US, and France, reports SecurityWeek.
The I-Soon espionage group, also known as FishMonger, Aquatic Panda, TAG-22, Red Dev 10, and Earth Lusca, operates under the Winnti Group umbrella and is believed to work in alignment with Beijings interests. The US has previously indicted ten I-Soon employees for their role in cyber intrusions affecting US government agencies, NGOs, human rights activists, and dissidents. ESET's findings indicate that I-Soons operatives had deep access to victims networks, enabling manual reconnaissance, lateral movement, and credential theft. Attackers used Impacket to deploy malware and leveraged tools such as ShadowPad, Spyder, SodaMaster, and the newly identified RPipeCommander implant, which functions as a reverse shell for executing commands remotely. ESET suggests that the RPipeCommander sample analyzed is only part of a larger toolset, with a second component facilitating command execution from another system.
