Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇨🇳 CN10 malware familiesExploits CVEs in the wild

Fishmonger

Also known asfishmonger

FishMonger is a China-linked cyberespionage threat actor active since at least 2019 and assessed to operate under the broader Winnti Group umbrella. The group is also tracked as Earth Lusca and has additionally been associated in the provided content with TAG-22, Aquatic Panda, and Red Dev 10. Multiple sources in the content assess that FishMonger is operated by the Chinese contractor I-SOON (also written iSoon), including ESET’s high-confidence attribution of Operation FishMedley to the group and its independent determination that FishMonger is operated by I-SOON. The actor primarily targets government entities and other organizations of strategic interest. Reported victims and targeting in the content include government organizations in Honduras, Taiwan, Thailand, and Pakistan during 2023–2024; universities in Hong Kong in 2020; and, in Operation FishMedley during 2022, governmental organizations, NGOs, a geopolitical think tank, a Catholic organization, and a Catholic charity in Taiwan, Hungary, Turkey, Thailand, the United States, and France. FishMonger is linked in the content to the SprySOCKS backdoor, including newly identified Windows variants after earlier Linux-only use. The Windows variants, WIN_DRV and WIN_PLUS, were used against government organizations and support command-and-control over TCP, UDP, and WebSocket with more than 30 commands for system discovery, process and service control, file management, SOCKS proxying, and keylogging. Reported stealth and persistence techniques include DLL side-loading, scheduled tasks, process doppelgänging into svchost.exe, abuse of the Windows Print Spooler via a print processor, and kernel-driver-based hiding of processes, files, registry keys, and network connections. The content also notes limited indications that some attacks may have involved a UEFI bootkit component possibly exploiting CVE-2023-24932. Beyond SprySOCKS, the group’s tooling in the provided content includes ShadowPad, Spyder, SodaMaster, RPipeCommander, Cobalt Strike, FunnySwitch, and BIOPASS RAT. In Operation FishMedley, operators used ShadowPad, SodaMaster, Spyder, and RPipeCommander, along with credential dumping, DLL side-loading, PowerShell, Impacket, LSASS dumping, SAM hive theft, Firefox credential theft, lateral movement, and likely data exfiltration via Dropbox tooling. The content also states FishMonger is known for watering-hole attacks. The provided material also notes overlaps or links between FishMonger and other China-aligned clusters, including Webworm, SixLittleMonkeys, and Space Pirates, and identifies FishMonger as one of several ShadowPad-using activity clusters tracked since 2017.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇭🇳 Honduras
  • 🇹🇼 Taiwan
  • 🇹🇭 Thailand
  • 🇵🇰 Pakistan

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

52 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics83 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1590
Gather Victim Network Information
T1590.005
IP Addresses
T1592
Gather Victim Host Information
T1592.004
Client Configurations
TA0001
Initial Access
2 techniques
T1189
Drive-by Compromise
T1190×3
Exploit Public-Facing Application
TA0002
Execution
5 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.003×3
Windows Command Shell
T1106
Native API
T1569
System Services
T1569.002×3
Service Execution
T1574
Hijack Execution Flow
T1574.001
DLL
TA0003
Persistence
5 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1112
Modify Registry
T1542
Pre-OS Boot
T1542.003×2
Bootkit
T1546
Event Triggered Execution
T1546.012
Image File Execution Options Injection
T1547
Boot or Logon Autostart Execution
T1547.012×4
Print Processors
TA0004
Privilege Escalation
6 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1055×2
Process Injection
T1055.013×2
Process Doppelgänging
T1068×2
Exploitation for Privilege Escalation
T1134
Access Token Manipulation
T1134.002
Create Process with Token
T1546
Event Triggered Execution
T1546.012
Image File Execution Options Injection
T1547
Boot or Logon Autostart Execution
T1547.012×4
Print Processors
TA0005
Stealth
13 techniques
T1014×6
Rootkit
T1027
Obfuscated Files or Information
T1027.007
Dynamic API Resolution
T1027.013
Encrypted/Encoded File
T1036
Masquerading
T1055×2
Process Injection
T1055.013×2
Process Doppelgänging
T1070
Indicator Removal
T1070.004
File Deletion
T1070.009
Clear Persistence
T1134
Access Token Manipulation
T1134.002
Create Process with Token
T1140
Deobfuscate/Decode Files or Information
T1211
Exploitation for Stealth
T1218
System Binary Proxy Execution
T1497
Virtualization/Sandbox Evasion
T1542
Pre-OS Boot
T1542.003×2
Bootkit
T1564×4
Hide Artifacts
T1564.001
Hidden Files and Directories
T1564.009
Resource Forking
T1574
Hijack Execution Flow
T1574.001
DLL
TA0112
Defense Impairment
2 techniques
T1112
Modify Registry
T1553
Subvert Trust Controls
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001×2
Keylogging
TA0007
Discovery
7 techniques
T1007×3
System Service Discovery
T1010
Application Window Discovery
T1057×4
Process Discovery
T1082×6
System Information Discovery
T1083×4
File and Directory Discovery
T1497
Virtualization/Sandbox Evasion
T1518
Software Discovery
T1518.001
Security Software Discovery
TA0009
Collection
2 techniques
T1056
Input Capture
T1056.001×2
Keylogging
T1115
Clipboard Data
TA0011
Command and Control
7 techniques
T1071×4
Application Layer Protocol
T1071.001
Web Protocols
T1090×2
Proxy
T1090.001×2
Internal Proxy
T1090.003
Multi-hop Proxy
T1095×3
Non-Application Layer Protocol
T1105×4
Ingress Tool Transfer
T1219
Remote Access Tools
T1571
Non-Standard Port
T1665
Hide Infrastructure
ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SprySOCKSFishMonger has brought its SprySOCKS backdoor to Windows for the first time, after years of deploying it exclusively on Linux. SprySOCKS first appeared in September 2023, when Trend Micro documented a Linux variant actively used in espionage campaigns.10Jun 17, 2026
ShadowPadTheir toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.4Jun 17, 2026
BIOPASS RATTheir toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.3Jun 17, 2026
Cobalt StrikeTheir toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.3Jun 17, 2026
funnyswitchTheir toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.3Jun 17, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

7 CVEs this actor has used in observed campaigns. 7 of them exploited in the wild.

CVE-2023-24932Windows Boot Manager Secure Boot Security Feature BypassIn the wildEvidence5

ESET researchers also noted indications that some attacks may involve a UEFI bootkit component, possibly exploiting CVE-2023-24932, which could allow the malware to survive a complete operating system reinstall.

CVE-2016-5195Dirty COW Linux kernel privilege escalationIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2016-5195 Linux kernel 7.0

CVE-2021-22555Linux Kernel Netfilter Heap Out-of-Bounds Write Privilege EscalationIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2021-22555 Linux 7.8

CVE-2022-21587Unauthenticated Arbitrary File Upload RCE in Oracle Web Applications Desktop IntegratorIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2022-21587 Oracle Web Applications 9.8

CVE-2023-32315Openfire Admin Console Authentication Bypass via Path TraversalIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2023-32315 Openfire 7.5

2 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

37 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

37 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
cyber security newsNews
Jun 17, 2026
FishMonger Hackers Expands SprySOCKS Backdoor From Linux to Windows With Advanced Stealth Features

Chinese cyberespionage group expanding SprySOCKS from Linux to Windows, targeting primarily government entities and conducting espionage campaigns. The group is also known for watering-hole attacks and continued investment in stealth and persistence capabilities.

Read more
security affairsNews
Jun 17, 2026
China-Linked FishMonger Ports SprySOCKS to Windows With Kernel-Level Stealth and UEFI Bootkit Hints - Security Affairs

China-linked espionage activity cluster using newly documented Windows variants of SprySOCKS with kernel-driver stealth, passive TCP backdoor functionality, Print Spooler abuse, and likely targeting government organizations.

Read more
gurucul threat researchNews
Jun 17, 2026
FishMonger’s Arsenal Upgraded: SprySOCKS for Windows | Community Portal | Gurucul

Linked to new Windows variants of the SprySOCKS backdoor and active targeting of government entities during 2023–2024.

Read more
govinfosecurityNews
Jun 16, 2026
Chinese Hacking Firm Upgrades With New Windows Backdoor

Chinese espionage threat activity using upgraded Windows variants of the SprySocks backdoor for long-term intelligence gathering and data theft against government organizations.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping52

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs7

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables37

Domains, IPs, and hashes tied to this actor, refreshed continuously.