Aquatic Panda's Global Espionage Campaign Uncovered in Operation FishMedley

The China-linked cyber espionage group Aquatic Panda has been implicated in a large-scale intelligence-gathering operation targeting seven organizations across multiple countries in 2022. The campaign, dubbed Operation FishMedley by cybersecurity firm ESET, focused on governments, Catholic charities, NGOs, and think tanks in Taiwan, Hungary, Turkey, Thailand, France, and the United States over a 10-month period.

Security researcher Matthieu Faou revealed that the group deployed a mix of malware strains, including ShadowPad, SodaMaster, and Spyder, tools commonly associated with Chinese state-backed cyber actors. The group, also known as Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, operates under the Winnti Group umbrella (APT41), a collective known for its persistent cyber intrusions. Some of its operators are linked to i-Soon, a Chinese contractor whose employees were recently indicted by the U.S. Department of Justice (DoJ) for cyber espionage activities spanning 2016-2023.

The attackers leveraged a malware loader called ScatterBee to deploy multiple payloads, including the newly discovered RPipeCommander, a sophisticated backdoor capable of executing commands and exfiltrating data. While the initial access method remains unclear, researchers note that the reuse of publicly known malware, such as ShadowPad and SodaMaster, suggests a confidence in their continued effectiveness despite prior exposure.