A Chinese-linked hacking group known as FishMonger is at the center of a sweeping cyber-espionage campaign. This espionage is targeting government bodies, NGOs, and think tanks worldwide. Dubbed “FishMedley”, the operation is believed to be orchestrated on behalf of the Chinese government. Using widely known tools instead of sophisticated new malware.
Earlier this month, the U.S. Department of Justice escalated the pressure by adding FishMonger, also known as Aquatic Panda, to the FBI’s Most Wanted list. Now, new research from cybersecurity firm ESET exposes fresh details about the group’s operations. Linking them directly to iSoon, a Chinese private hacking contractor.
iSoon — officially known as Axun Information Technology — presents itself as a cybersecurity training company based in Shanghai. But leaked documents revealed the firm’s true role: acting as a hacker-for-hire arm servicing top Chinese state agencies, including the Ministry of Public Security, Ministry of State Security, and the People’s Liberation Army.
ESET’s report sheds light on how FishMonger operates in this wider Chinese espionage campaign. Targets span continents, hitting organizations in Taiwan, Hungary, Turkey, Thailand, the U.S., and France. According to Matthieu Faou, the lead ESET researcher, FishMonger’s strategy focuses less on advanced hacking techniques and more on persistent, efficient data theft.
Rather than burning expensive zero-day exploits, FishMonger relies on well-worn tools like ShadowPad, a modular backdoor commonly associated with China-linked cyber actors. ShadowPad is publicly available and widely analyzed — making it a convenient choice for attackers who prioritize staying under the radar.
“They don’t develop new tools or rely on zero-days. It’s clear FishMonger isn’t highly sophisticated technically,” Faou noted. “Yet, they are remarkably efficient, consistently infiltrating targets and maintaining long-term access to complete their missions.”
The group’s goal is straightforward: steal confidential data. They specialize in targeting NGOs and think tanks — especially those working on issues involving China and Asia — as well as defense contractors and government entities across Asia, Europe, and North America.
How FishMonger Gains Access
ESET’s report couldn’t pinpoint exactly how FishMonger initiates its attacks. However, in most cases, the hackers already had domain administrator-level access — suggesting they compromised a privileged user’s machine early in the process.
Beyond ShadowPad, the group uses a mix of additional tools:
- Spyder Loader — another malware family long linked to Chinese hackers
- SodaMaster Loader — largely unchanged since it was fully analyzed in 2021
- RPipeCommander — a custom reverse shell identified by ESET researchers
Despite the lack of groundbreaking tools or methods, FishMonger’s ability to stay embedded within high-value networks is what makes them dangerous.
“FishMonger isn’t the most technically advanced China-aligned group we’re tracking,” Faou emphasized. “But their efficient, persistent approach allows them to achieve their objectives — mainly data theft — over long periods.”
The FishMonger Chinese espionage campaign underscores the growing role of private sector hackers in China’s state-sponsored cyber operations. Think tanks, NGOs, and government agencies involved in sensitive research on China and Asia remain prime targets.
ESET warns that high-profile organizations should be alert to potential signs of compromise linked to FishMonger’s tools and tactics. At its core, the operation is about gathering intelligence to serve Chinese geopolitical interests — a reminder that espionage campaigns don’t always rely on the latest or most sophisticated hacks.
“Their strategy is simple but effective: gain access, stay hidden, and extract information,” Faou added.
As China continues leveraging private APT contractors like iSoon, campaigns like FishMedley may become even more common — combining low-profile tools with high-impact intelligence gathering.
