Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

SneakyChef – Threat Actor

January 25, 2025
Reading Time: 4 mins read
in Threat Actors
SneakyChef – Threat Actor

SneakyChef

Location

China

Date of initial activity

2023

Suspected Attribution 

Cybercriminals

Motivation

Data Theft
Espionage

Associated Tools

SugarGh0st RAT

SFX RAR Files

VBScript
SpiceRAT

Command and Control (C2) Domains

Software

Servers
Networks

Overview

In the ever-evolving landscape of cyber threats, the emergence of new and sophisticated threat actors continues to challenge organizations worldwide. Among these, SneakyChef has risen to prominence as a particularly formidable player in the realm of cyber espionage. Identified by Cisco Talos in August 2023, SneakyChef is a threat actor known for its targeted and methodical approach to infiltrating sensitive government agencies and institutions. Their activities have been marked by the use of advanced malware and carefully crafted deceptive lures, reflecting a high level of sophistication and strategic planning. SneakyChef’s primary tool of choice is the SugarGh0st Remote Access Trojan (RAT), a versatile and powerful piece of malware that allows them to maintain control over compromised systems. Their infection strategies involve deploying malicious Self-Extracting RAR (SFX) files that, once executed, initiate a series of actions to establish persistence and deliver additional payloads. This method not only facilitates initial access but also ensures long-term control over the infected machines. The group’s ability to adapt and evolve their techniques is evident from their use of multiple RAT variants and the continuous refinement of their infection chains.

Common Targets 

  • Uzbekistan
  • South Korea
  • India
  • Saudi Arabia
  • Angola
  • Kazhakstan
  • Latvia
  • Public Administration
  • Information

Attack vectors

Phishing

How they work

At the core of SneakyChef’s attack strategy is the use of the SugarGh0st RAT (Remote Access Trojan), which has become a hallmark of their operations. The group utilizes various infection techniques to deliver this RAT, with one notable method involving SFX RAR (Self-Extracting RAR) files. These files, when executed, deploy a series of malicious components onto the victim’s system. The SFX RAR acts as a wrapper that contains a decoy document, a DLL loader, an encrypted version of SugarGh0st, and a malicious VBScript. Upon execution, the VBScript is responsible for setting up persistence and executing the loader. The persistence mechanism employed by SneakyChef involves manipulating the Windows registry. Specifically, the threat actor writes a command to the UserInitMprLogonScript registry key, which ensures that the malicious DLL is executed every time a user logs into the system. This technique leverages the regsvr32.exe utility to load the DLL silently, facilitating the stealthy operation of the SugarGh0st RAT. Once activated, the RAT decrypts and injects itself into a running process, enabling SneakyChef to maintain control over the compromised system. In addition to SugarGh0st, SneakyChef has been observed using another RAT known as SpiceRAT. The dual deployment of RATs suggests a strategic approach to maximize the likelihood of successful infiltration and data exfiltration. The group’s malware arsenal also includes various obfuscation techniques to evade detection. The encrypted payloads and obfuscated communication protocols help to avoid triggering security alerts and detection mechanisms. The decoy documents used by SneakyChef are meticulously crafted to mimic official government communications, further enhancing the effectiveness of their phishing campaigns. These documents, often impersonating ministries or embassies, serve as bait to lure targets into executing the malicious payloads. The choice of lures reflects the group’s focus on high-value targets across EMEA and Asia, including government agencies and diplomatic missions. The infrastructure behind SneakyChef’s operations includes a network of command and control (C2) domains. The group has been observed using both old and new C2 domains to maintain communication with their malware. Domains such as account[.]drive-google-com[.]tk and account[.]gommask[.]online have been linked to the group’s activities, demonstrating their ability to adapt and persist despite security disclosures.

MITRE Tactics and Techniques

Initial Access (TA0001):
Phishing (T1566): SneakyChef uses phishing emails with malicious attachments, such as SFX RAR files containing SugarGh0st RAT, to gain initial access to victim systems.
Execution (TA0002):
Scripting (T1059): The group employs malicious VBScript to execute payloads and establish persistence on compromised systems.
Persistence (TA0003):
Registry Run Keys / Startup Folder (T1547.001): SneakyChef uses VBScript to modify the Windows registry (specifically, UserInitMprLogonScript), ensuring their malware is executed upon system login.
Privilege Escalation (TA0004):
Exploitation for Client Execution (T1203): By exploiting vulnerabilities in document viewing software, SneakyChef may escalate privileges on targeted systems.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): The use of encrypted payloads and obfuscation techniques helps SneakyChef evade detection by security solutions.
Credential Access (TA0006):
Input Capture (T1056): Through SugarGh0st, the group captures keystrokes to collect sensitive information, including credentials.
Discovery (TA0007):
System Information Discovery (T1082): SneakyChef gathers system information to identify valuable targets and further tailor their attack.
Lateral Movement (TA0008):
Remote Services (T1021): The RAT’s capabilities allow SneakyChef to move laterally across networks by exploiting remote services.
Collection (TA0009):
Data from Local System (T1005): The group exfiltrates files and data from compromised systems to achieve their espionage goals.
Command and Control (TA0011):
Application Layer Protocol (T1071): SneakyChef uses C2 domains to communicate with and control compromised systems, typically via standard web protocols to avoid detection.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): Data collected from infected systems is sent to the threat actor’s command and control infrastructure over the same channels used for C2 communication.
Impact (TA0009):
Data Manipulation (T1565): The group may manipulate data on the compromised systems to disrupt operations or alter information.  
References:
  • SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques
Tags: AngolaChinaCyber threatsIndiaKazhakstanLatviaPakistanPhishingRATSaudi ArabiaSneakyChefSouth KoreaSpiceRATSugarGh0stThreat ActorsUzbekistan
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial