China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families - The Hacker News

China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families Ravie LakshmananMar 21, 2025Cybercrime / Cyber Espionage The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations. These entities include governments, Catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place over a period of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET. "Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors," security researcher Matthieu Faou said in an analysis. Aquatic Panda, also called Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a cyber espionage group from China that's known to be active since at least 2019. The Slovakian cybersecurity company is tracking the hacking crew under the name FishMonger. Said to be operating under the Winnti Group umbrella (aka APT41, Barium, or Bronze Atlas), the threat actor is also overseen by the Chinese contractor i-Soon, some of whose employees were charged by the U.S. Department of Justice (DoJ) earlier this month for their alleged involvement in multiple espionage campaigns from 2016 to 2023. The adversarial collective has also been retroactively attributed to a late 2019 campaign targeting universities in Hong Kong using ShadowPad and Winnti malware, an intrusion set that was then tied to the Winnti Group. The 2022 attacks are characterized by the use of five different malware families: A loader named ScatterBee that's used to drop ShadowPad, Spyder, SodaMaster, and RPipeCommander. The exact initial access vector used in the campaign is not known at this stage. "APT10 was the first group known to have access to [SodaMaster] but Operation FishMedley indicates that it may now be shared among multiple China-aligned APT groups," ESET said. RPipeCommander is the name given to a previously undocumented C++ implant deployed against an unspecified governmental organization in Thailand. It functions as a reverse shell that's capable of running commands using cmd.exe and gathering the outputs. "The group is not shy about reusing well-known implants, such as ShadowPad or SodaMaster, even long after they have been publicly described," Faou said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Chinese Hackers, cyber espionage, Cybercrime, cybersecurity, Information security, Malware, Threat Intelligence Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps