I-Soon

Threat Actor updated 23 days ago (2024-11-29T14:34:13.141Z)
Download STIX
Preview STIX
i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initiates and maintains cyberespionage campaigns commissioned by various Chinese government agencies. This revelation underscores China's reputation as a prolific actor in cyber espionage. The leaked documents revealed a less public side of i-Soon, including candid employee chat conversations and images. These discussions often revolved around employees' dissatisfaction with long working hours and low pay. Following the leak, i-Soon and the Chinese police launched an investigation into how the files were disseminated. According to two i-Soon employees who spoke with the Associated Press, the company held a meeting to address the issue, assuring staff that the leak would not significantly impact business operations and advising them to "continue working as normal." This is not the first time i-Soon has attracted the attention of cybersecurity researchers. The company was previously sued by Chengdu 404, a firm from the same city linked to the cyber espionage group known as APT41. Despite the legal issues and the recent data leak, an onsite visit to i-Soon's office in Chengdu confirmed the company's continued operation. Given these developments, it is clear that i-Soon represents a significant entity within the landscape of global cybersecurity threats.
Description last updated: 2024-09-20T18:17:41.645Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Earth Lusca is a possible alias for I-Soon. Earth Lusca, a threat actor believed to be part of the China-backed Winnti collective, has been active since at least 2019 and is known for its cyber-espionage activities. The group primarily targets government organizations in Asia, Latin America, and other regions. Recently, it has expanded its ar
4
Anxun is a possible alias for I-Soon. Anxun Information Technology Co., also known as iSoon, has been identified as a significant threat actor in the realm of cybersecurity. A data leak revealed on February 18, 2024, disclosed the company's strong ties to the Chinese government through various contracts. This leak, which originated from
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Chinese
Apt
Government
China
Data Leak
Uk
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with I-Soon. ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attackUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT41 Threat Actor is associated with I-Soon. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
3
The Winnti Threat Actor is associated with I-Soon. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
3
Source Document References
Information about the I-Soon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle