[sovrvltn]

"FishMonger – a group believed to be operated by the Chinese contractor I‑SOON (see our Q4 2023-Q1 2024 APT Activity Report) – falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu where I‑SOON’s office was located. FishMonger is also known as Earth Lusca, TAG‑22, Aquatic Panda, or Red Dev 10. We published an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. We initially attributed the incident to Winnti Group but have since revised our attribution to FishMonger.

The group is known to operate watering-hole attacks, as reported by Trend Micro. FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT."

https://www.welivesecurity.com/en/eset-r...ishmedley/