Chinese Group advanced permanent threat (APT). known as Water panda It was associated with a “global spy company”, which took place in 2022, aimed at seven organizations.
These organizations include governments, Catholic charities, non -governmental organizations (NGOs), as well as analytical centers across Taiwan, Hungary, Turkey, Thailand, France and the USA. The activity, which took place within 10 months between January to October 2022, was named Eset Fishmedley.
“Operators used implants-back, Shadowpad, Sodamaster and Spyder-which are common or exclusive – Note In the analysis.
Water pandaIt is also called a bronze university, charcoal, scales and Redchatel, is a cyber -scalp group from China, which is known to be active since 2019. The Slovak Cybersecurity Company monitors a hacking crew called Fishmger.
It is said that works under the umbrella group Winnti (aka APT41, Barium or Bronze Atlas), the actor threats are also controlled by the Chinese contractor I-Soon, some of which were employees, some employees who were employees who were employees accuse The US Department of Justice (DOJ) has been involved in numerous espional companies from 2016 to 2023 earlier this month.
Was also a competition team posteriorly attributed to By the end of 2019, focused on Hong Kong universities using Shadowpad and Winnti Salware, a set of invading, which was then related to the Winnti group.
The 2022 G. Attacks are characterized by the use of five different families of malware: a loader named Scatterbee This is used to fall Shadowpad. Spy. Sodomasterand rpipecommander. The exact initial access vector used in the company is unknown at this stage.
“APT10 was the first group, which was known to have access to (Sodamaster), but the Fishmedley operation indicates that it can now be divided among several APT groups agreed by China,” said Esset.
Rpipecommander is the name given previously unregistered C ++ implant, deployed against an uncertain state organization in Thailand. It operates as a backbone that is able to launch commands using cmd.exe and collecting outputs.
“The group is not shy to re-use known implants such as Shadowpad or Sodamaster, even long after they have been publicly described,” FAU said.