In a disturbing revelation, cybersecurity company ESET has uncovered how the Chinese cybersecurity firm I-Soon launched a stealthy hacking campaign in 2022, targeting government bodies, NGOs, and think tanks across multiple countries. This operation, which ESET refers to as Operation FishMedley, highlights the growing reach and sophistication of China-linked cyber espionage efforts.
I-Soon, officially known as Anxun Information Technology, operates as a private contractor connected to China’s Ministry of Public Security—one of the country’s most powerful policing agencies. Its covert operational arm, commonly tracked under names like FishMonger, Earth Lusca, TAG‑22, Aquatic Panda, and Red Dev 10, allegedly aligns its hacking campaigns with Beijing’s strategic interests.
The group drew global attention last year after leaked internal documents exposed its activities. In the aftermath, the U.S. Department of Justice indicted ten I-Soon employees in early March, accusing them of working as “hackers-for-hire.” According to U.S. prosecutors, the group illegally accessed emails, sensitive databases, and corporate systems belonging to American federal and state agencies, including the Department of the Treasury. They also targeted human rights activists, journalists, and overseas Chinese pro-democracy dissidents.
However, the newly surfaced findings from ESET paint a broader picture of I-Soon’s cyber activities. The report confirms that, throughout 2022, I-Soon operatives infiltrated organizations in Taiwan, Hungary, Turkey, Thailand, the U.S., and France. These attacks were all part of Operation FishMedley, directly linked to I-Soon’s espionage unit FishMonger, which ESET believes operates under the infamous Winnti Group umbrella out of Chengdu, China.
Once inside their targets’ networks, the attackers displayed expert-level tactics. ESET’s forensic analysis showed that they gained privileged access to internal systems and performed hands-on reconnaissance. They deployed Impacket, a popular toolset for network penetration, which allowed them to plant malware, move laterally across networks, and extract sensitive credentials by dumping the LSASS process.
Among the arsenal of cyberweapons used were the notorious backdoors ShadowPad, Spyder, and SodaMaster. The team also utilized RPipeCommander, a newly identified reverse shell implant designed for stealthy control. Alongside these, they deployed various tools aimed at network scanning, password theft, and data exfiltration.
While ShadowPad, Spyder, and SodaMaster have appeared in earlier threat reports linked to Chinese state-sponsored groups, RPipeCommander stood out as a new discovery. ESET explains that this tool operates using multiple threads and handles three core functions via named pipes. It can initiate a command prompt, send commands, and capture the output of those commands. Notably, ESET’s researchers only recovered the server-side component of RPipeCommander, suggesting that a separate client runs from another compromised system within the network.
“Throughout 2022, our investigations uncovered several cases where tools like ShadowPad and SodaMaster—favored by China-aligned groups—were actively used,” ESET stated. “We identified and clustered seven separate incidents, which we now collectively refer to as Operation FishMedley.”
The growing evidence against Chinese cybersecurity firm I-Soon reflects how state-affiliated hackers continue to pose serious threats to global cybersecurity. With sophisticated tools and stealthy operations, these groups breach sensitive systems, harvest intelligence, and undermine privacy on a global scale.
