Blog - 03 - Aquatic Panda Cyber Espionage Group 7 Global Targets Malware Arsenal

Mar 23, 2025

China-Linked APT Group "Aquatic Panda" Exposed: Global Espionage Campaign Targets 7 Organizations

A recent investigation has uncovered a significant global espionage campaign linked to a China-linked advanced persistent threat (APT) group, known as Aquatic Panda. The group, also referred to as Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, has been found to have targeted seven organizations across six countries in 2022.

The affected entities included governments, non-governmental organizations (NGOs), think tanks, and Catholic charities in Taiwan, Hungary, Turkey, Thailand, France, and the United States. This diverse range of targets suggests that Aquatic Panda is a highly sophisticated and adaptable threat actor, capable of navigating complex networks and systems to achieve its goals.

The Scope of the Campaign

The global espionage campaign, codenamed Operation FishMedley, is believed to have begun in January 2022 and continued until October 2022. During this time, Aquatic Panda used a range of tactics, techniques, and procedures (TTPs) to gain access to the targeted organizations. The group's malware arsenal included ShadowPad, SodaMaster, and Spyder, among others, which were used to compromise systems, steal sensitive data, and establish a persistent presence within the targeted networks.

The campaign's scope is significant, with Aquatic Panda successfully breaching the systems of organizations in multiple countries. The affected entities included:

  • Government agencies in Taiwan and Hungary
  • NGOs in Turkey and Thailand
  • Think tanks in France and the United States
  • Catholic charities in the United States

The TTPs of Aquatic Panda

Aquatic Panda's TTPs are characterized by their sophistication and adaptability. The group is known to use a range of tools and techniques to gain access to targeted systems, including:

  • Phishing campaigns to trick users into divulging sensitive information
  • Exploitation of vulnerabilities in software and hardware
  • Use of custom-made malware to evade detection
  • Establishment of persistent backdoors to maintain access to compromised systems

The group's use of ShadowPad, SodaMaster, and Spyder malware is particularly notable, as these tools are highly sophisticated and have been linked to previous China-linked APT campaigns.

The Implications of the Campaign

The Aquatic Panda campaign has significant implications for organizations across the globe. The group's ability to target a diverse range of entities, including governments, NGOs, and think tanks, highlights the need for increased vigilance and cooperation in the face of cyber threats.

The campaign also underscores the importance of implementing robust cybersecurity measures, including:

  • Regular software updates and patching
  • Advanced threat detection and response systems
  • Employee training and awareness programs
  • Incident response planning and preparedness