Listen to this Post
In 2022, the China-linked Advanced Persistent Threat (APT) group known as Aquatic Panda carried out an extensive espionage operation targeting a variety of organizations worldwide. The attack, which lasted from January to October, affected governments, non-governmental organizations (NGOs), Catholic charities, and think tanks across multiple countries. This significant cyber operation was dubbed “Operation FishMedley” by cybersecurity company ESET. The group used a range of malware implants and sophisticated techniques that are typical of China-aligned cyber adversaries.
The targets of this espionage campaign spanned across Taiwan, Hungary, Turkey, Thailand, France, and the United States, demonstrating Aquatic Panda’s broad operational reach. The espionage group’s primary tools included implants like ShadowPad, SodaMaster, and Spyder—malware that has been associated with Chinese threat actors for several years. Additionally, these attackers used the malware to gain unauthorized access to sensitive information, often targeting high-profile entities with valuable geopolitical or strategic interests.
Overview of Operation FishMedley
Aquatic Panda, also known by several other names like Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, has been active since at least 2019. The group’s operations fall under the Winnti Group umbrella (also known as APT41, Barium, or Bronze Atlas), which has been involved in cyber espionage campaigns for several years. This group’s activity includes targeting a diverse range of sectors, including governmental organizations, educational institutions, and corporate entities.
The malware used in the 2022 campaign—specifically, ShadowPad, SodaMaster, Spyder, and RPipeCommander—highlight the group’s persistent use of familiar tools, even in newer operations. These tools have been identified in previous attacks, including campaigns attributed to other China-linked APT groups such as APT10.
ESET’s researchers have noted that these attackers were highly skilled at remaining undetected, with many of the implants used being tailored to each victim. For instance, the RPipeCommander implant, which was deployed against a government agency in Thailand, is a previously undocumented piece of malware that allows attackers to remotely execute commands on the infected system.
The use of such sophisticated tools and techniques suggests that Aquatic Panda’s operations are both well-resourced and highly organized. The group’s ability to reuse well-known malware like ShadowPad and SodaMaster even years after their public disclosure underscores their persistence and the ongoing threat posed by China-aligned APT groups.
What Undercode Say:
The persistence of China-linked APT groups like Aquatic Panda shows a highly methodical and strategic approach to cyber espionage. These groups are known for their patience and long-term planning, often lying dormant within networks for extended periods, slowly exfiltrating sensitive data over months or even years. This particular operation, known as Operation FishMedley, highlights a number of significant trends in cyber threat activity.
First, the choice of targets speaks volumes about the geopolitical motivations driving these attacks. Governments, NGOs, think tanks, and even Catholic charities were all targeted, suggesting an interest in not only acquiring sensitive information about national security or diplomatic strategies but also leveraging intelligence that could be used to influence global political dynamics. The organizations targeted in Taiwan, Hungary, Turkey, and the United States are all strategically significant in the context of global power struggles, particularly in relation to China’s foreign policy goals.
Second, the sophistication of the malware used in this campaign demonstrates the growing sophistication of China-aligned cyber operations. Tools like ShadowPad and SodaMaster have been around for years, but their continued use and refinement show the group’s ability to adapt and evolve its tactics. The of new malware, such as RPipeCommander, further emphasizes the group’s technical capabilities and desire to remain one step ahead of defenders.
The most concerning aspect of this attack is the use of malware implants like RPipeCommander, which specifically targeted a government organization in Thailand. These implants are not only highly specialized but also capable of executing commands and collecting data without detection, making them particularly dangerous for governments and other high-profile targets. This suggests that Aquatic Panda is not just after general intelligence, but is focused on extracting highly specific, strategic information that could shape key policy decisions or bolster China’s influence in particular regions.
This attack also raises questions about the broader landscape of cyber espionage and the capabilities of state-sponsored threat actors. The use of multiple malware families and implants in a single operation highlights a new phase of cyber conflict where state actors are increasingly using a diverse toolkit to breach even the most secure networks.
Fact Checker Results:
- Scope of Operation: The 2022 attacks were indeed widespread, with targets in various countries including Taiwan, Hungary, Turkey, Thailand, France, and the United States.
- Malware Analysis: The identified malware families—ShadowPad, SodaMaster, Spyder, and RPipeCommander—are consistent with known tools used by Chinese APT groups.
- Connection to Chinese Contractors: The attribution of Aquatic Panda’s activities to a Chinese contractor (i-Soon) further strengthens the evidence of a China-aligned operation, corroborating reports from the U.S. Department of Justice.
References:
Reported By: https://thehackernews.com/2025/03/china-linked-apt-aquatic-panda-10-month.html
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
