China-related Advanced Persistent Threat (APT) Group. Known as Aquatic Panda, it is linked to the 2022 “Global Spy Campaign” targeting seven organizations.
These entities include government, Catholic charities, non-governmental organizations (NGOs), and think tanks from Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity that took place over 10 months between January and October 2022 has been called Operation Fishmedley by ESET.
“Operators used general or exclusive Shadowpad, Sodamaster, Spyder and other implants that were placed in China,” security researcher Matthieu Faou said in the analysis.
Also known as Bronze University, Charcoal Wind, Earthluska, and Red Hotel, Aquatic Panda is a Chinese cyberspy group known to have been active since at least 2019. A Slovak cybersecurity company is tracking a hacking crew under the name Fishmonger.
As it is said to be operating under Winnti Group Umbrella (aka APT41, Barium, or Bronze Atlas), the threat actor is overseen by Chinese contractor I-SOON.
The hostile group also traces a retrospective look at a campaign in late 2019 that targeted Hong Kong universities using Shadowpad and Winnti malware.
The 2022 attack is characterized by the use of five different malware families. A loader named ScatterBee used to drop shadow pads, Spyder, Sodamaster, and RpipeCommander. The exact initial access vector used in the campaign is unknown at this stage.
“APT10 was the first group known to have access to. [SodaMaster] However, Operation Fish Medley shows that it could now be shared among multiple APT groups lined up in China,” ESET said.
Rpipecommander is the name given to a previously undocumented C++ implant that was deployed against unspecified government organizations in Thailand. It acts as a reverse shell that allows you to run commands using CMD.exe and collect output.
“This group is not shy about reusing well-known implants such as Shadowpad and Sodamaster.
Source link
