Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. This information was made public through candid employee chat conversations and images that were part of the leak. Cybersecurity experts Tom Uren and Catalin Cimpanu have confirmed the authenticity of the leak and the details it contains about i-SOON's clandestine activities. The data leak has prompted an investigation by i-SOON and Chinese police, as they seek to understand how the files were leaked. Two i-SOON employees, who spoke on condition of anonymity due to fear of retribution, informed the Associated Press (AP) about the ongoing probe. Despite the leak, i-SOON's management has assured its staff that business will continue as usual and instructed them to carry on with their work. Prior to this incident, i-SOON had already drawn the attention of cybersecurity researchers after being sued by Chengdu 404, a company from the same city. Chengdu 404 is linked to APT41, a well-known cyber espionage group. The recent visit to i-SOON's office in Chengdu by an AP representative confirmed the reality of the leak, reinforcing concerns about the company's involvement in state-sponsored cyber espionage activities.
What's your take? (Question 1 of 5)
4a43deeb-846d-4d00-b9b9-eeea6bb36f7b Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Earth Lusca
Earth Lusca is a significant threat actor that has recently expanded its malicious arsenal with the SprySOCKS Linux malware, posing an increased risk to global cybersecurity. This group is known for executing actions with harmful intent, and could be composed of individuals, private companies, or go
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPad is a modular backdoor malware that has been utilized by multiple Chinese threat groups since 2017. It was used as the payload in a supply chain attack targeting South Asian governments, as detailed in a VB2023 paper. The malware's operations are often facilitated through legitimate utiliti
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a China-attributed threat actor that has been active since at least 2012. The group has targeted organizations across at least 14 countries, focusing on entities in the South China Sea region. APT41's activi
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the I-Soon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more