Cybersecurity researchers have disclosed a previously undocumented threat group named Unfading Sea Haze, active since 2018. The group has targeted high-level organizations in South China Sea countries, particularly focusing on military and government entities. Bitdefender’s report highlights the group’s repeated access to compromised systems, exploiting poor credential hygiene and inadequate patching practices.
Unfading Sea Haze’s activities appear to align with Chinese interests, using techniques similar to those of known Chinese threat actors like Mustang Panda and APT41. Their attacks utilize various iterations of the Gh0st RAT malware and a tool called SharpJSHandler. They have also been observed employing spear-phishing emails with booby-trapped archives to regain access to compromised entities.
The group uses sophisticated methods to maintain persistence, including scheduled tasks that mimic legitimate Windows files and manipulation of local Administrator accounts. They have also incorporated commercially available Remote Monitoring and Management (RMM) tools such as ITarian RMM since at least September 2022, a tactic not commonly seen among nation-state actors.
Unfading Sea Haze’s arsenal includes custom tools like SilentGh0st, InsidiousGh0st, TranslucentGh0st, FluffyGh0st, and EtherealGh0st, which are modular and adopt a plugin-based approach. They also use a loader called Ps2dllLoader, capable of bypassing the Antimalware Scan Interface (AMSI) and delivering payloads from cloud storage services. Their activities suggest a targeted espionage campaign focused on acquiring sensitive information, using a blend of custom and off-the-shelf tools to evade traditional security measures.
ChatGPT can make mistakes. Check important info.
