I-Soon

I-SOON, also known as Shanghai Anxun Information Technology Co., Ltd. and referred to as i-Soon/i_soon, is a China-based private cybersecurity contractor described as part of China’s hacker-for-hire and state contracting ecosystem. The provided content characterizes it as a lower-tier contractor that provided hacking, surveillance, and intelligence-gathering services primarily to Chinese public security customers, and as a certified supplier to the Ministry of Public Security. It is described as likely working for the Chinese state, with reporting linking it to China-based threat activity including APT41 and overlaps with clusters such as Fishmonger and Earth Lusca. According to the leaked internal documents cited in the content, I-SOON was founded in Shanghai in 2010, had roughly 70-100 employees, maintained subsidiaries in Chengdu, Yunnan, and Jiangsu, and established an “APT research” division in 2013 for overseas projects. Its leaked files reportedly included contracts, quotations, technical attack materials, internal chats, and customer information. The company’s customers were described as provincial and municipal public security bureaus and departments across multiple Chinese provinces. The content also states that the UK sanctioned I-SOON for cyber activities against the UK and its allies. The content indicates I-SOON’s operational strength was post-compromise exploitation and intelligence production rather than initial access or exploit development. Reported capabilities included Windows malware/RAT functionality such as command execution, file and service management, screen capture, keylogging, and pivoting; a Linux implant called Hector with plugin-based architecture and HTTP/HTTPS/websocket C2; referenced macOS malware; and mobile malware for iOS and Android capable of collecting device identifiers, location, files, contacts, microphone audio, and in some Android cases SMS/IM data, Wi‑Fi/camera control, traffic capture, and persistence with root. The leak also described platforms for ingesting, searching, classifying, and operationalizing stolen emails and documents, including Outlook-, Gmail-, POP3/IMAP-, and Twitter-focused collection platforms using phishing, malicious executables, credentials, and tokens for continuous collection. The provided reporting states that I-SOON used or sold spyware and had penetrated targets including Hong Kong government departments, universities, telecommunications providers, and a broad set of government, military, telecom, NGO, and academic entities across multiple continents. NHK reporting cited in the content alleges I-SOON conducted operations for the Chinese government that included theft of internal European Union documents, impersonation of overseas dissidents, spreading false information about Fukushima wastewater discharge in Japan, and online influence activity intended to trigger xenophobic demonstrations in Taiwan. The content also notes that its social-media and “public opinion” tooling may have been overstated and likely was not suited to large-scale information warfare compared with true troll-farm operations. The content further notes that leaked chats and DOJ materials indicated Zhou Shuai brokered the sale of Yin Kecheng’s work through i-SOON, placing the company within a broader Chinese offensive cyber ecosystem connected to activity tracked under Silk Typhoon/Hafnium. It also describes I-SOON as part of China’s loosely controlled contractor ecosystem, often subcontracting to larger firms, with poor morale and low-paying contracts. After the February 2024 leak of hundreds of internal files, NHK reported that I-SOON’s Shanghai office had been vacated and that some employees were reportedly taken away by police.