Poison Carp

Poison Carp, also known as Insomnia, is a threat actor identified as being linked to Chinese state-sponsored hacking groups. It has been implicated in various cyber-attacks and espionage campaigns, notably against Tibetan minorities. The group was first recognized in a 2019 report which attributed certain malicious activities to an Advanced Persistent Threat (APT) group called Poison Carp. Furthermore, the group has been associated with other Chinese state-backed hacking entities such as RedHotel and RedAlpha. The connection between Poison Carp and these other groups came to light through analysis of leaked data from iSoon, a Chinese hack-for-hire contractor. Security researchers at Recorded Future found documents linking iSoon to Poison Carp, RedHotel, and RedAlpha. These groups were believed to be sub-teams of iSoon, each focusing on specific missions. An IP address discovered in the iSoon leak further solidified this connection, as it hosted a phishing site previously used by Poison Carp in a 2019 hacking campaign against Tibetans. Citizen Lab, a digital rights organization, has also attributed attacks to Poison Carp. Their research identified shared IP addresses and references to an Android remote access Trojan that had been previously linked to Poison Carp. This evidence, along with the data uncovered in the iSoon leak, strongly suggests that Poison Carp operates alongside or as part of a network of Chinese state-sponsored hacking groups, carrying out targeted cyber-espionage campaigns.