Skip to main content
Mallory
Back to threat actors
🇨🇳 CN2 malware familiesExploits CVEs in the wild

Fishmonger

Also known asfishmonger

FishMonger is a China-linked threat actor associated with cyber-espionage activity and tracked as overlapping with or also known as Earth Lusca. The provided content states FishMonger has been active since 2019. It is described as part of the broader China-aligned / China-nexus ecosystem and has been linked in reporting to clusters including Aquatic Panda. Supporting content also notes overlaps with SixLittleMonkeys, Space Pirates, and Webworm in broader China-aligned activity reporting. The actor has been associated with use of Winnti and ShadowPad malware. One cited report states that campaigns tracked by ESET as Fishmonger matched I-Soon’s activities, and that Fishmonger targeted universities in Hong Kong in 2020 using Winnti and ShadowPad. Additional reporting cited in the content places Fishmonger among at least five ShadowPad-using activity clusters identified since 2017. The content further notes overlaps between leaked I-Soon materials and previously reported FishMonger / Earth Lusca activity, including targeting and use of Winnti/ShadowPad. CYFIRMA’s profile in the provided content describes FishMonger / Earth Lusca as focused on espionage and also financially motivated activity targeting cryptocurrency platforms. The content lists exploited vulnerabilities associated with FishMonger as CVE-2024-21412, CVE-2016-5195, CVE-2023-32315, CVE-2024-23897, CVE-2022-21587, and CVE-2021-22555. Known aliases directly mentioned in the content include Earth Lusca and Aquatic Panda.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001
Keylogging
TA0009
Collection
1 technique
T1056
Input Capture
T1056.001
Keylogging
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ShadowPad“This latter malware is likely a ShadowPad variant … and even possibly the origin of ShadowPad …” and later: “118.31.3[.]116, recorded by Sentinel One as a ShadowPad C2 … ShadowPad was used by APT41, Team Tonto, Fishmonger, and others.”1Mar 8, 2026
Winnti“Fishmonger was notably going after universities in Hong Kong in 2020 using the Winnti and ShadowPad malware.” and: “the internal name of this tool (“TreadStone”) was mentioned in the FBI indictment … as the controller for Winnti.”1Mar 8, 2026
WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2016-5195Dirty COWIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2016-5195 Linux kernel 7.0

CVE-2021-22555Linux Kernel Netfilter Heap Out-of-Bounds Write Privilege EscalationIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2021-22555 Linux 7.8

CVE-2022-21587Unauthenticated Arbitrary File Upload RCE in Oracle Web Applications Desktop IntegratorIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2022-21587 Oracle Web Applications 9.8

CVE-2023-32315Openfire Admin Console Authentication Bypass via Setup Environment Path TraversalIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2023-32315 Openfire 7.5

CVE-2024-21412Windows Internet Shortcut Files SmartScreen Security Feature BypassIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2024-21412 Internet Shortcut Files Security 8.1

1 more CVE tied to this actor tracked in Mallory.

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
May 20, 2026
Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

China-nexus activity cluster noted as overlapping with Webworm.

Read more
eset welivesecurity blogNews
May 20, 2026
Webworm: New burrowing techniques

Referenced only as a China-aligned APT group linked to Webworm.

Read more
cyfirma newsNews
Mar 5, 2026
Weekly Intelligence Report - 05 March 2026 - CYFIRMA

China-linked cyber-espionage activity (with some financially motivated operations) using vulnerability exploitation and spear-phishing to gain access, followed by credential dumping, process injection, DLL side-loading, proxy/TLS C2, and staged exfiltration; targets government/civil society and also cryptocurrency platforms.

Read more
harfanglab insidethelabNews
Mar 4, 2025
A comprehensive analysis of I-Soon's commercial offering - HarfangLab

Named activity cluster linked in reporting to I-Soon; associated with espionage-style targeting (e.g., universities in Hong Kong) and use of Winnti and ShadowPad malware.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.

Fishmonger | Mallory