HQ/EMEAFind out how we can help your business
Chinese hackers linked to the cybersecurity firm I-Soon targeted seven organisations across multiple countries in a 2022 cyber espionage campaign, according to a recent report. The attack, known as Operation FishMedley, saw government agencies, NGOs, and think tanks in Taiwan, Hungary, Turkey, Thailand, the US, and France compromised by the threat group.
I-Soon, also known as Anxun Information Technology, is a private contractor with ties to China’s Ministry of Public Security. Its operational hacking unit, tracked under various names, including FishMonger, Earth Lusca, TAG‑22, Aquatic Panda, and Red Dev 10, is believed to carry out cyber operations in line with Beijing’s interests. Security researchers have linked the group to the Winnti umbrella, an established Chinese hacking collective operating out of Chengdu.
The report revealed that the attackers had deep access to their victims’ networks, allowing them to move laterally and extract sensitive data. They performed manual reconnaissance, used the Impacket tool to deploy implants, and dumped the LSASS process to extract login credentials. The cyber operation utilised several hacking tools, including the well-known ShadowPad, Spyder, and SodaMaster backdoors, as well as a newly identified implant named RPipeCommander.
RPipeCommander functions as a reverse shell, capable of executing commands within a compromised system. It allows attackers to create and control command prompt processes, execute instructions, and extract output data. The analysed sample only contained the server component, but researchers believe a client component exists, enabling hackers to issue commands remotely.
Chinese hackers from I-Soon have been under increasing scrutiny following a leaked dump of company documents last year.
In early March, US authorities indicted ten I-Soon employees, accusing them of acting as hackers-for-hire. The individuals allegedly breached emails, databases, and corporate systems, with targets including US federal and state agencies such as the Department of the Treasury, human rights activists, journalists, and Chinese pro-democracy dissidents abroad.
Security experts warn that cyber threats from China-aligned groups remain a growing concern for governments and private organisations worldwide. The findings from Operation FishMedley highlight the advanced tactics used in state-sponsored espionage, raising concerns over the security of sensitive information. With the continued evolution of hacking techniques, cybersecurity professionals stress the need for stronger defence measures to combat sophisticated cyber intrusions.
