A little-known yet highly capable China-linked cyber threat actor has quietly conducted one of the most persistent espionage campaigns seen in recent years. Known as Aquatic Panda, the group infiltrated organisations across multiple continents using custom malware, stealthy tactics and infrastructure commonly linked to the dark web.
For Australian businesses, the campaign offers a valuable case study in how state-aligned actors operate and why proactive cyber defence measures, including dark web monitoring, are essential.
Who is Aquatic Panda?
Aquatic Panda is a suspected Chinese state-sponsored group also tracked under names such as Charcoal Typhoon, RedHotel and Bronze University. It is believed to operate as part of the broader Winnti umbrella, a collection of advanced persistent threat (APT) groups known for espionage, intellectual property theft and long-term network access.
Since emerging in 2019, Aquatic Panda has maintained a relatively low profile compared to other Chinese threat actors, but its recent activities demonstrate a clear capability for sustained and targeted operations.
What was Operation FishMedley?
Between January and October 2022, Aquatic Panda carried out a global espionage campaign identified by ESET as Operation FishMedley. The group targeted seven organisations across France, Taiwan, Turkey, Hungary, Thailand and the United States, including:
- Government departments and agencies
- Humanitarian and religious charities
- NGOs and advocacy groups
- Policy think tanks and research centres
These sectors are closely aligned with Australian partners and influence networks, making the findings highly relevant to local cybersecurity teams.
How Did the Attack Work?
Although the initial access vector remains unknown, once inside, Aquatic Panda deployed a tailored set of malware tools, including:
- ScatterBee – A lightweight loader used to deploy further implants
- ShadowPad – A modular backdoor widely used by Chinese APT groups
- Spyder – A remote access trojan offering command and control capabilities
- SodaMaster – A stealthy tool originally linked to APT10, reused for persistence
- RPipeCommander – A newly discovered implant that functions as a reverse shell, enabling attackers to run Windows commands and exfiltrate outputs
These tools allowed for covert surveillance, data collection and prolonged access, often with little or no detection by traditional security solutions.
The Dark Web Connection
Aquatic Panda’s use of shared malware like ShadowPad and SodaMaster highlights the interlinked nature of APT operations and the dark web economy. While some tools are custom-built, others are shared, modified or resold among threat actors via underground forums and private marketplaces.
For Australian businesses, this means a group targeting an NGO overseas may use the same malware or infrastructure seen in local incidents. Monitoring dark web activity is no longer optional it is a critical source of early warning intelligence.
Why This Matters For Australian Organisations
Australia’s strategic location, role in the Indo-Pacific and close ties to sectors like defence, education, research and policy make local organisations attractive to foreign espionage groups.
Even if your business is not a direct target, third-party breaches or shared supply chain exposure can result in compromise. Many of the victims in Operation FishMedley operated in sectors mirrored here in Australia, including government services, advocacy, faith-based outreach and policy think tanks.
How to Defend Against APT Campaigns
While preventing every breach is not always possible, there are proactive steps organisations can take to detect and mitigate threats like Aquatic Panda:
1. Deploy Dark Web Monitoring
Solutions like Oko, Rivanorth’s AI-powered monitoring tool, scan underground forums, breach databases and command and control infrastructure for early signs of targeting. Early detection allows you to act before damage occurs.
2. Implement Network Segmentation and Role-Based Access
Restrict movement within your network by applying least privilege principles. If an attacker does gain access, this limits the scope of what they can reach.
3. Detect Known APT Malware and Tactics
Stay informed on malware families used by APT groups and update detection tools with the latest indicators of compromise.
4. Provide Staff Training on Phishing and Social Engineering
Many espionage operations begin with a simple phishing email. Regular training reduces the risk of human error and improves incident reporting.
5. Conduct Routine Threat Hunting
Do not wait for alerts. Proactively search your systems for signs of compromise and investigate anomalies in network traffic and user behaviour.
Rivanorth Oko: Monitoring the Underground for Emerging Threats
As APT groups reuse malware, infrastructure and techniques, monitoring the dark web provides a strategic advantage. Oko offers real-time alerts when:
- Credentials linked to your organisation appear in data dumps
- Domains and systems are flagged in threat actor discussions
- Tools used by known APTs are observed targeting your sector
This proactive insight allows you to patch vulnerabilities, reset credentials and block malicious IPs before an attacker can move further.
Stay Ahead of Nation-State Threats
Aquatic Panda’s campaign is a reminder that cyber espionage is an ongoing threat, even for organisations without obvious value to a foreign government. Intellectual property, contacts, research and influence are all valuable targets.
By investing in threat intelligence, monitoring dark web activity and improving internal cyber resilience, Australian organisations can reduce risk and increase readiness against advanced persistent threats.
Join Our Newsletter