Keypoints
- I-Soon’s leaked materials emphasize data exploitation and analyst automation (deep learning for email/entity extraction) over in-house exploit development.
- Primary ingress methods are phishing and social-engineering; exploit development and zero-day capability appear limited or sourced from partners.
- Windows implants include a ShadowPad-like RAT with polymorphism and common espionage features; Linux implant “Hector/TreadStone” supports HTTP/HTTPS/websockets and SOCKS5 proxying.
- Email-focused platforms (Microsoft Secret Extraction Platform / Email Collection Platform) obtain credentials/access tokens to continuously siphon Outlook/Gmail/POP3/IMAP inboxes and feed the analysis platform.
- Automated penetration-testing framework repackages open-source tools (Metasploit, nmap, SET, Hydra) behind easy GUIs for lower-skilled operators.
- Hardware and appliances (Wi‑Fi Proximity Attack System, anonymous routers) support local access, WPA handshake capture, router compromise, and proxying into victim networks.
MITRE Techniques
- [T1566] Phishing – Used as the main initial access vector and supported by social-engineering modules (‘phishing generation, website cloning’ / ‘building trust’ before delivering payload).
- [T1071] Application Layer Protocol – C2 communications use HTTP, HTTPS or websockets (‘communicates with its C2 server using HTTP, HTTPS or websockets’).
- [T1021] Remote Services (Pivoting) – Operators pivot through infected hosts to reach external networks (‘can pivot through other infected machines in the network to access the internet’).
- [T1547] Boot or Logon Autostart Execution – Persistence methods include techniques not visible to Sysinternals autoruns (‘Persistence method not monitored by the Sysinternals autoruns.exe utility’).
- [T1550] Use of Valid Accounts – Outlook/Gmail credentials or access tokens are acquired and reused to siphon inboxes (‘An “access token” is obtained based on these credentials and is used to continuously siphon the user’s inbox’).
- [T1041] Exfiltration Over Command and Control Channel – Stolen emails and files are continuously exfiltrated to C2/storage for analysis (‘all files and contacts can be exfiltrated to the C2 server’).
- [T1046] Network Service Discovery / Scanning – Automated penetration tooling performs ping and multiple port scan types (connect(), SYN, NULL, Idle) to discover services (‘Determining if the machine is up (via a ping); Scanning its ports (connect() scan, SYN scan, NULL scan, Idle scan…)’).
- [T1056] Input Capture (Keylogging) – Implants capture keystrokes and related input data (‘keylogging’ capability advertised for Windows/macOS implants).
- [T1113] Screen Capture – Backdoors capture screen contents for intelligence collection (‘screen capture’ listed among implant features).
- [T1499] Endpoint Denial of Service (DDoS) – I-Soon offers DDoS capabilities (SYN, TCP, UDP, ACK, GET flooding) as an advertised service (‘can then engage in SYN, TCP, UDP, ACK or GET flooding’).
- [T1588] Acquire Infrastructure – Guidance and services for procuring anonymous overseas VPS, network links and OPSEC for hosting attack infrastructure (‘all the network links need to be purchased anonymously, with untraceable/fake online personas’).
Indicators of Compromise
- [IP addresses] C2 / platform references – 101.219.17[.]111, 118.31.3[.]116, and 7 more listed IPs (historical list provided in leaked archive).
- [Domains] Infrastructure and C2 context – mailnotes[.]online (linked to mobile targeting) and 16clouds[.]com variants (C2/platform references).
- [Email addresses] Leak/source attribution – [email protected], [email protected] (accounts associated with the GitHub repository and GPG key in leak metadata).
- [Hostnames/addresses] ShadowPad/implant controllers – 8.218.67[.]52 (noted as a C2 in vendor reports) and 31.3[.]116 (ShadowPad C2 noted by SentinelOne).
I-Soon’s technical workflow centers on access acquisition through phishing or delivered executables that harvest credentials or produce access tokens; those tokens are then used by the Microsoft Secret Extraction Platform / Email Collection Platform to continuously siphon Outlook, Gmail or POP3/IMAP inboxes. Phishing flows are staged—initial social engineering to build trust followed by credential capture or a “forensics link” leading to an access token—after which the platforms pull messages into an analysis pipeline that can maintain access until credentials are changed. The collection platforms claim the ability to bypass two‑factor protections and check IP-based restrictions (likely via direct protocol connections or stolen tokens).
For host compromise and lateral movement, I-Soon offered a Windows RAT (a ShadowPad-like implant) with polymorphism, service management, keylogging and screen capture, and a Linux implant (Hector/TreadStone) with a dynamic plugin model that communicates over HTTP/HTTPS/websockets and implements SOCKS5 proxying and TCP port reuse to tunnel traffic. Mobile implants for iOS/Android gather device identifiers, location, microphone audio, contacts and files; Android variants can request root to capture SMS/IM, enable remote camera/Wi‑Fi control, and be installed as system apps to survive factory resets. Some implants support runtime selection of encryption algorithms and persistence methods claimed to evade common detection tools.
The company’s offensive tooling and automation are built around repackaging open-source components: an automated penetration-testing framework with Metasploit-like modules, nmap-equivalent scanning modes, SET-like social-engineering, and Hydra-like brute forcing, exposed via GUIs and APIs for low-skill operators. Collected data feeds business‑intelligence platforms (email analysis, entity extraction and social-graph building) that use deep-learning to tag, classify and map relationships inside stolen corpora. Supporting hardware (Wi‑Fi Proximity Attack System, anonymous routers) and managed infrastructure practices (extranet on overseas VPS, one-way access links, backhaul, OPSEC guidance) enable local ingress, handshake capture, router compromise and anonymized operator connectivity; additional services include active scanning and DDoS modules.
Read more: https://harfanglab.io/en/insidethelab/isoon-leak-analysis/