China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families

Avatar
The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a “global espionage campaign” that took place in 2022 targeting seven organizations. These entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place

The China-linked advanced persistent threat (APT) group. known as Aquatic Panda has been linked to a “global espionage campaign” that took place in 2022 targeting seven organizations.

These entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place over a period of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET.

“Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors,” security researcher Matthieu Faou said in an analysis.

Aquatic Panda, also called Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a cyber espionage group from China that’s known to be active since at least 2019. The Slovakian cybersecurity company is tracking the hacking crew under the name FishMonger.

Said to be operating under the Winnti Group umbrella (aka APT41, Barium, or Bronze Atlas), the threat actor is also overseen by the Chinese contractor i-Soon, some of whose employees were charged by the U.S. Department of Justice (DoJ) earlier this month for their alleged involvement in multiple espionage campaigns from 2016 to 2023.

The adversarial collective has also been retroactively attributed to a late 2019 campaign targeting universities in Hong Kong using ShadowPad and Winnti malware, an intrusion set that was then tied to the Winnti Group.

The 2022 attacks are characterized by the use of five different malware families: A loader named ScatterBee that’s used to drop ShadowPad, Spyder, SodaMaster, and RPipeCommander. The exact initial access vector used in the campaign is not known at this stage.

“APT10 was the first group known to have access to [SodaMaster] but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups,” ESET said.

RPipeCommander is the name given to a previously undocumented C++ implant deployed against an unspecified governmental organization in Thailand. It functions as a reverse shell that’s capable of running commands using cmd.exe and gathering the outputs.

“The group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described,” Faou said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility

Next Post

CYBER SECURITY CONGRESS – NORTH AMERICA

Related Posts

Microsoft: Russian-Linked Hackers Using ‘Device Code Phishing’ to Hijack Accounts

Microsoft is calling attention to an emerging threat cluster it calls Storm-2372 that has been attributed to a new set of cyber attacks aimed at a variety of sectors since August 2024. The attacks have targeted government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas
Avatar
Read More

Hackers Repurpose RansomHub’s EDRKillShifter in Medusa, BianLian, and Play Attacks

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in
Avatar
Read More

GitHub Action Compromise Puts CI/CD Secrets at Risk in Over 23,000 Repositories

Cybersecurity researchers are calling attention to an incident in which the popular GitHub Action tj-actions/changed-files was compromised to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow. The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It's used to track and retrieve all
Avatar
Read More