Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Unfading Sea Haze – Threat Actor

March 2, 2025
Reading Time: 4 mins read
in Threat Actors
Unfading Sea Haze – Threat Actor

Unfading Sea Haze

Location

China

Date of initial activity

2018

Suspected attribution

Cybercriminal

Government Affiliation

Unknown

Motivation

Cyberespionage

Associated tools

SilentGh0st
.NET Payloads
Ps2dllLoader
SharpJSHandler
FluffyGh0st
InsidiousGh0st
TranslucentGh0st
EtherealGh0st

Software

Windows

Overview

Unfading Sea Haze has been active since at least 2018, focusing on military and government targets within the South China Sea region. Our investigation uncovered that this group has developed and deployed a range of advanced malware tools over the years, including multiple iterations of the notorious Gh0st RAT framework and various .NET-based payloads. These tools have enabled the group to maintain long-term access to compromised systems, highlighting significant vulnerabilities in credential management and patching practices among the targeted organizations. The threat actor’s ability to remain undetected for over five years is particularly alarming. Despite extensive efforts to cross-reference artifacts and review public reports, we found no previous mentions of Unfading Sea Haze’s activities. This level of stealth underscores the sophisticated nature of their operations and the critical need for enhanced cybersecurity measures.

Common targets

Unfading Sea Haze primarily targets high-level organizations in the South China Sea region, with a particular focus on: Military Organizations: Unfading Sea Haze has shown a keen interest in military entities, aiming to gather intelligence and sensitive information that could provide strategic advantages. Government Agencies: The group targets various government departments and agencies, likely to extract information related to national security, policy decisions, and diplomatic communications. Political Institutions: Political parties and institutions are also on their radar, as gaining insights into political strategies and maneuvers can be valuable for influencing regional dynamics. Educational Institutions: Universities and research centers involved in political or military research are targeted to access cutting-edge research and intellectual property. Think Tanks: Organizations that provide strategic analysis and policy recommendations are targeted for their insights into regional and global political dynamics.

Attack Vectors

Phishing Emails

Exploitation of Vulnerabilities

Malicious Attachments

Remote Access Tools

How they operate

At the core of Unfading Sea Haze’s operations is their use of the Gh0st RAT framework, a versatile remote access tool that allows for extensive control over compromised systems. This tool, alongside its variants, is employed to establish and maintain persistent access to target networks. The group has also developed and used various .NET payloads, which demonstrate their capability to adapt and innovate based on the specific requirements of their campaigns. One of the notable aspects of Unfading Sea Haze’s operations is their use of SharpJSHandler, a tool that functions similarly to a web shell but operates without relying on IIS servers. Instead, SharpJSHandler listens for HTTP requests and executes encoded JavaScript code using the Microsoft.JScript library. This flexibility allows the threat actor to adapt their tactics based on the environment they are targeting. Additionally, variations of SharpJSHandler have been observed using cloud storage services like DropBox and OneDrive for communication, evading traditional detection methods associated with web shells. The group’s attack vectors are diverse and include phishing emails, which are used to deliver malicious payloads and gain initial access. Exploitation of known vulnerabilities in software and systems is another method employed to breach target networks. Malicious attachments embedded in emails or distributed through other channels further facilitate initial access and system compromise. Once inside a network, Unfading Sea Haze uses remote access tools and command and control (C2) channels to maintain and extend their access, exfiltrating sensitive data and executing commands remotely. Unfading Sea Haze’s persistence and the ability to adapt their tactics highlight the group’s proficiency in cyber espionage. Their focus on military and government targets in the South China Sea underscores their strategic objectives and alignment with broader geopolitical interests. By leveraging a combination of established tools and custom-developed payloads, the threat actor remains a significant concern for cybersecurity professionals and organizations operating in the region.

MITRE Tactics and Techniques

T1071.001 – Application Layer Protocol: Web Protocols: Use of HTTP and other web protocols for command and control. T1133 – External Remote Services: Exploiting external remote services to gain unauthorized access. T1218 – Signed Binary Proxy Execution: Using signed binaries to execute payloads. T1059.001 – Command and Scripting Interpreter: PowerShell: Execution of malicious scripts through PowerShell. T1064 – Scripting: Execution of scripts to perform actions within the target environment. T1105 – Ingression of Remote File Copy: Transfer of files to and from the compromised system. T1070.001 – Indicator Removal on Host: Clear Windows Event Logs: Clearing event logs to remove traces of activities. T1203 – Exploitation for Client Execution: Exploiting vulnerabilities in client applications for execution.

Impact / Significant Attacks

2018 – Philippine Navy: Initial attacks targeted military networks, including those associated with the Philippine Navy. 2019 – Philippine Coast Guard: The group conducted further operations against maritime security organizations, such as the Philippine Coast Guard. 2020 – Indonesian Ministry of Foreign Affairs: Unfading Sea Haze expanded their focus to include diplomatic and foreign affairs institutions in the region. 2021 – Vietnam Ministry of Defense: The group targeted the Ministry of Defense in Vietnam, reflecting a continued interest in military and defense-related information. 2022 – Malaysian Ministry of Defense: The group’s activities included attacks on the Malaysian Ministry of Defense, emphasizing their ongoing focus on regional military organizations. 2023 – Brunei Ministry of Foreign Affairs: Recent attacks have targeted Brunei’s Ministry of Foreign Affairs, highlighting the group’s persistent interest in diplomatic and government networks within the South China Sea region.  
References:
  • Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea
  • Ghost RAT
Tags: ChinaCybercriminalcyberespionageGh0st RATGovernmentPhishingSouth China SeaThreat ActorsUnfading Sea HazeVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025
UAC-0188 (FRwL) – Threat Actor

UAC-0188 (FRwL) – Threat Actor

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial