iSoon

i-Soon, also known as Anxun Information Technology Co. and Anxun Information, is a Chengdu-based Chinese information security contractor assessed in the provided reporting as supporting Chinese state-linked cyber operations, particularly for the Ministry of Public Security (MPS). The content describes i-Soon as a key player in China’s “InfoSec ecosystem,” with the FBI alleging it worked with at least 43 MSS or MPS bureaus across 31 provinces and municipalities and sold stolen data and hacking platforms to Chinese intelligence and security services. A 2024 leak of i-Soon materials, assessed in the reporting as likely authentic, described the company as specializing in network penetration research, overseas special-case network work, surveillance, email exploitation and analysis, automated offensive operations, and telecom-related data access. The actor is publicly tracked under multiple aliases including DeepClif, Dragnet Panda, Hassium, Houndstooth Typhoon, Aquatic Panda, Red Alpha, Red Hotel, Charcoal Typhoon, Red Scylla, Chromium, and TAG-22. The content also links i-Soon to FishMonger, which is described as being operated by i-Soon, and notes FishMonger is also known as Earth Lusca. According to the provided content, i-Soon-linked activity targeted a wide range of victims, including U.S.-based dissidents, a U.S. news organization, a large U.S.-based religious organization, U.S. federal and state agencies, foreign ministries, and multiple governments in Asia. Leaked materials and reporting cited victims across government, telecommunications, medical, and academic sectors in countries including Pakistan, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Nepal, Turkey, India, Egypt, France, Cambodia, Rwanda, Nigeria, Indonesia, Vietnam, Myanmar, the Philippines, Afghanistan, and locations including Hong Kong, Macao, Taiwan, Xinjiang, and Tibet. Specific victims mentioned in the content include Myanmar’s Ministry of Foreign Affairs, Thailand’s National Intelligence Agency and Ministry of Foreign Affairs, Nepal Telecom, National Taiwan University Hospital, Tamkang University, Rwanda’s Ministry of Health, Apollo Hospital in India, and telecommunications providers in Kazakhstan and Mongolia. The reporting attributes multiple capabilities and tactics to i-Soon. Leaked materials described custom remote access software for Windows, Linux, macOS, iOS, and Android; an “APT Service System”; target penetration and battle support services; an automated penetration testing platform combining phishing, application exploitation, cross-platform payload generation, and RAT/RMM-style capabilities; an email analysis platform for large-scale stolen email processing; and telecom compromises involving call detail records and location-based services. The leak also described a Twitter-focused capability claiming a “1-click exploit” delivered by DM links to bypass two-factor authentication and collect victim metadata, as well as Wi-Fi proximity attack hardware disguised as Xiaomi battery packs. The content also ties i-Soon-operated FishMonger activity to SprySocks Windows backdoor variants used in 2023 and 2024 against government organizations in Honduras, Taiwan, Thailand, and Pakistan. Those variants reportedly supported TCP, UDP, and WebSocket communications, more than 30 command-and-control functions, and used a kernel-level rootkit to hide network connections, processes, files, and registry keys; some attacks may also have involved a UEFI bootkit and possible exploitation of CVE-2023-24932. The actor has been the subject of government action. The provided content states that eight i-Soon employees, including co-founders Wu Haibo and Chen Cheng, were indicted by the United States in early March 2025 for attacks affecting the New York State Assembly, the Defense Intelligence Agency, the Department of Commerce, two New York-based newspapers, and other organizations and foreign ministries. The United Kingdom sanctioned i-Soon in December 2025, and the European Union sanctioned i-Soon, Wu Haibo, and Chen Cheng in March 2026.