I-Soon

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. This information was made public through candid employee chat conversations and images that were part of the leak. Cybersecurity experts Tom Uren and Catalin Cimpanu have confirmed the authenticity of the leak and the details it contains about i-SOON's clandestine activities. The data leak has prompted an investigation by i-SOON and Chinese police, as they seek to understand how the files were leaked. Two i-SOON employees, who spoke on condition of anonymity due to fear of retribution, informed the Associated Press (AP) about the ongoing probe. Despite the leak, i-SOON's management has assured its staff that business will continue as usual and instructed them to carry on with their work. Prior to this incident, i-SOON had already drawn the attention of cybersecurity researchers after being sued by Chengdu 404, a company from the same city. Chengdu 404 is linked to APT41, a well-known cyber espionage group. The recent visit to i-SOON's office in Chengdu by an AP representative confirmed the reality of the leak, reinforcing concerns about the company's involvement in state-sponsored cyber espionage activities.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Earth Lusca	4	Earth Lusca, a threat actor known for its malicious activities in the cyber world, has recently expanded its arsenal with the addition of a new tool, SprySOCKS Linux malware. This development was reported by Security Affairs in October 2020. Earth Lusca can be an individual, a private company, or pa
Redhotel	1	RedHotel, also known as Aquatic Panda, ControlX, and Bronze University, is a threat actor linked to Chinese state-sponsored cyber groups. It is part of a sophisticated network of espionage operations including RedAlpha, Poison Carp, and i-SOON, which are primarily involved in the theft of telecommun
Volt Typhoon	1	Volt Typhoon, a threat actor linked to China, has been identified as a significant cyber threat with strong operational security. Known for their sophisticated Advanced Persistent Threat (APT) activities, this group has been associated with the KV-Botnet and has remained undetected within U.S. infra

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Chinese

Apt

Government

China

Espionage

Sentinellabs

Sentinelone

Data Leak

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
ShadowPad	Unspecified	2	ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
Taurus	Unspecified	1	Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
KEYPLUG	Unspecified	1	KeyPlug is a modular backdoor malware, written in C++, that has been used extensively by the APT41 group to target systems globally. Notably, between June and December 2021, it was heavily deployed against state government victims, exploiting Windows systems with significant effect. KeyPlug supports
Elemental Taurus	Unspecified	1	None

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
APT41	Unspecified	3	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Winnti	Unspecified	3	Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Redalpha	Unspecified	1	RedAlpha, also known as DeepCliff, is an advanced persistent threat (APT) group that has been linked to Chinese state-sponsored cyber espionage activities. The group is known for its spyware campaigns against Tibetan minorities and has been identified in association with other threat groups such as
Earth Krahang	Unspecified	1	Earth Krahang is a threat actor, a term used in cybersecurity to describe an entity responsible for malicious activities. This could be an individual, a private company, or even a government organization. In the world of cybersecurity, unique names are often given to these actors to differentiate th
Poison Carp	Unspecified	1	Poison Carp, also known as Insomnia, is a threat actor that has been associated with various malicious cyber activities. These activities have particularly targeted Tibetan minorities, highlighting the group's focus on specific sociopolitical issues. This threat actor is part of a larger network of
Winnti Group	Unspecified	1	The Winnti Group, a collective of Chinese Advanced Persistent Threat (APT) groups including APT41, first gained notoriety for its attacks on computer game developers. The group was initially spotted by Kaspersky in 2013, but researchers suggest that this nation-state actor has been active since at l

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the I-Soon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title