The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been identified as the orchestrator
behind a global cyber espionage campaign conducted in 2022, targeting seven organizations.
The victims included government agencies, Catholic charities, non-governmental organizations (NGOs), and think tanks across multiple countries, including Taiwan, Hungary, Turkey, Thailand, France, and the United States. The campaign, which spanned 10 months from January to October 2022, has been dubbed Operation FishMedley by cybersecurity firm ESET.
According to security researcher Matthieu Faou, the attackers deployed a range of implants, including ShadowPad, SodaMaster, and Spyder, which are commonly or exclusively used by China-aligned threat actors. Aquatic Panda, also referred to as Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, has been active since at least 2019. ESET tracks the group under the alias FishMonger.
The hacking collective is believed to be operating under the Winnti Group umbrella (also known as APT41, Barium, or Bronze Atlas) and is reportedly linked to the Chinese contractor i-Soon. Several i-Soon employees were recently charged by the U.S. Department of Justice (DoJ) for their alleged roles in espionage operations spanning from 2016 to 2023.
Aquatic Panda has previously been associated with cyberattacks, including a late 2019 operation that targeted universities in Hong Kong using ShadowPad and Winnti malware, a campaign later attributed to Winnti Group.
The 2022 espionage operation relied on five different malware families, including a loader called ScatterBee, which facilitated the deployment of ShadowPad, Spyder, SodaMaster, and a newly discovered malware named RPipeCommander. The exact method used to gain initial access remains unknown.
ESET noted that APT10 was originally the only group known to use SodaMaster, but the presence of the malware in Operation FishMedley suggests that multiple China-aligned APT groups may now have access to it.
One of the key discoveries in this campaign was RPipeCommander, a previously undocumented C++ implant found on the network of an unnamed government organization in Thailand. This backdoor functions as a reverse shell, enabling attackers to execute commands through cmd.exe and collect the resulting data.
Despite increased public exposure of its tools, Aquatic Panda continues to reuse well-documented implants like ShadowPad and SodaMaster, demonstrating its willingness to rely on proven malware strains long after they have been publicly identified.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
