The China-linked superior persistent menace (APT) group. generally known as Aquatic Panda has been linked to a “world espionage marketing campaign” that passed off in 2022 focusing on seven organizations.
These entities embody governments, catholic charities, non-governmental organizations (NGOs), and assume tanks throughout Taiwan, Hungary, Turkey, Thailand, France, and the USA. The exercise, which passed off over a interval of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET.
“Operators used implants – reminiscent of ShadowPad, SodaMaster, and Spyder – which might be widespread or unique to China-aligned menace actors,” safety researcher Matthieu Faou stated in an evaluation.
Aquatic Panda, additionally referred to as Bronze College, Charcoal Storm, Earth Lusca, and RedHotel, is a cyber espionage group from China that is recognized to be lively since at the least 2019. The Slovakian cybersecurity firm is monitoring the hacking crew beneath the identify FishMonger.
Mentioned to be working beneath the Winnti Group umbrella (aka APT41, Barium, or Bronze Atlas), the menace actor can be overseen by the Chinese language contractor i-Quickly, a few of whose workers had been charged by the U.S. Division of Justice (DoJ) earlier this month for his or her alleged involvement in a number of espionage campaigns from 2016 to 2023.
The adversarial collective has additionally been retroactively attributed to a late 2019 marketing campaign focusing on universities in Hong Kong utilizing ShadowPad and Winnti malware, an intrusion set that was then tied to the Winnti Group.
The 2022 assaults are characterised by way of 5 totally different malware households: A loader named ScatterBee that is used to drop ShadowPad, Spyder, SodaMaster, and RPipeCommander. The precise preliminary entry vector used within the marketing campaign will not be recognized at this stage.
“APT10 was the primary group recognized to have entry to [SodaMaster] however Operation FishMedley signifies that it might now be shared amongst a number of China-aligned APT teams,” ESET stated.
RPipeCommander is the identify given to a beforehand undocumented C++ implant deployed in opposition to an unspecified governmental group in Thailand. It capabilities as a reverse shell that is able to operating instructions utilizing cmd.exe and gathering the outputs.
“The group will not be shy about reusing well-known implants, reminiscent of ShadowPad or SodaMaster, even lengthy after they’ve been publicly described,” Faou stated.