Full Report
Bitdefender researchers investigated a series of incidents at high-level organizations in countries of the South China Sea region, all performed by the same threat actor we track as Unfading Sea Haze. Based on the victimology and the cyber-attack’s aim, we believe the threat actor is aligned with China’s interests. As tensions in the region rise, they are reflected in the intensification of activity on behalf of the Unfading Sea Haze actor, which uses new and improved tools and TTPs. We notice
Analysis Summary
# Threat Actor: Unfading Sea Haze
## Attribution & Identity
* **Identification:** Threat actor tracked as Unfading Sea Haze by Bitdefender researchers.
* **Attribution:** Believed to be aligned with China’s interests based on victimology and the cyber-attack’s aim.
* **Aliases/Associated Groups:** None explicitly mentioned, but the actor has been active since at least 2018, utilizing evolved versions of older tools.
## Activity Summary
The actor is currently engaged in an espionage campaign targeting high-level organizations in countries within the South China Sea region. This activity has intensified amid rising regional tensions. The actor has been active since at least 2018. A key finding is their ability to regain access to victim systems, often due to poor credential hygiene or inadequate patching of edge devices and exposed web services.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear phishing utilizing zip archives containing `.lnk` files to deploy the initial payload.
- **Execution/Persistence (Backdoors):** Deployment of the `SerialPktdoor` backdoor.
- **Post-Compromise Activity:** Use of `.net` payloads including `sharpJsHandler` and `SerialPktDoor`.
- **Remote Access (RATs):** Utilization of two variations of Gh0stRat: `EtherealGh0st` and `FluffyGh0st`, which are evolutions of older variants (`TranslucentGh0st` and `SilentGh0st`).
- **Backup Access:** Use of legitimate Remote Monitoring and Management (RMM) tools as a backup access point.
- **Data Staging/Exfiltration:** Interest in collecting `doc`, `docx`, `pdf`, `txt`, and `ppt` files, targeting browser data and cookies, and exfiltrating files from Telegram, Viber, and other messaging applications.
- **Vulnerability Exploitation (Implicit):** Repeatedly regaining access through exploitation of vulnerable edge devices and exposed web services.
## Targeting
* **Sectors:** Military and Government organizations.
* **Geography:** Countries in the South China Sea region.
* **Victims:** At least 8 military and government organizations have been impacted. Specific names are not provided in this summary text.
## Tools & Infrastructure
* **Malware Families Used:**
* SerialPktdoor (Backdoor)
* sharpJsHandler (.net payload)
* SerialPktDoor (.net payload)
* EtherealGh0st (Gh0stRat variant)
* FluffyGh0st (Gh0stRat variant)
* **Infrastructure:** Information regarding specific C2 domains or IPs is deferred to the full whitepaper/Threat ID BDx8y3ujm3X, and none are explicitly mentioned or defanged here.
## Implications
The actor poses a persistent espionage threat focused on strategic geopolitical entities in Southeast Asia. Their reliance on social engineering (spear phishing) combined with sophisticated, proprietary backdoors (SerialPktdoor, evolving Gh0stRat variants) indicates a well-resourced, nation-state-aligned threat actor focused on long-term intelligence gathering. Their ability to re-compromise targets suggests effective persistence mechanisms.
## Mitigations
- Implementing robust defenses against spear phishing, particularly concerning zip archives and shortcut files (`.lnk`).
- Strictly enforcing strong **credential hygiene** to prevent unauthorized access or re-access.
- Implementing rigorous and timely **patching strategies** for all edge devices and publicly exposed web services capable of providing initial access vectors.
- Monitoring for the presence and unauthorized use of legitimate **RMM software** within the network.
- Deploying enhanced detection capabilities to identify the specific malware families listed (SerialPktdoor, Gh0stRat variants).