Full Report
Bitdefender researchers investigated a series of incidents at high-level organizations in countries of the South China Sea region, all performed by the same threat actor we track as Unfading Sea Haze. Based on the victimology and the cyber-attack’s aim, we believe the threat actor is aligned with China’s interests. As tensions in the region rise, they are reflected in the intensification of activity on behalf of the Unfading Sea Haze actor, which uses new and improved tools and TTPs. We notice
Analysis Summary
# Threat Actor: Unfading Sea Haze
## Attribution & Identity
* **Identification:** Threat actor tracked by Bitdefender as "Unfading Sea Haze."
* **Attribution:** Believed to be aligned with China’s interests based on victimology and the aim of the cyber-attacks.
* **Historical Activity:** Active since at least 2018, using older variants like TranslucentGh0st and SilentGh0st.
## Activity Summary
Unfading Sea Haze is conducting espionage campaigns specifically targeting organizations in the South China Sea region. The activity intensity has reportedly risen in line with regional tensions. The actor successfully regains access to compromised systems due to poor credential hygiene or unpatched edge devices/exposed web services. The campaign involves spear-phishing leading to initial compromise, followed by post-compromise activity focused on data exfiltration.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear phishing utilizing ZIP archives that contain LNK files to deploy the initial payload.
* **Persistence/Secondary Access:** Use of legitimate Remote Monitoring and Management (RMM) tools, likely as a backup access vector.
* **Post-Compromise:** Deployment of custom malware and backdoors.
* **Data Targeting:** Exfiltrating specific file types (`.doc`, `.docx`, `.pdf`, `.txt`, `.ppt`), browser data, cookies, and files from messaging applications (Telegram, Viber).
## Targeting
* **Sectors:** Military and Government organizations.
* **Geography:** Countries in the South China Sea region.
* **Victims:** At least 8 military and government organizations impacted by this actor.
## Tools & Infrastructure
* **Malware Families:**
* `SerialPktdoor` (backdoor deployed via LNK).
* `.net payloads`: `sharpJsHandler` and `SerialPktDoor`.
* `Gh0stRat` variations: `EtherealGh0st` and `FluffyGh0st` (evolved versions of older variants).
* **Infrastructure:** Indicators of Compromise (IOCs) are detailed in the linked whitepaper (not provided directly in summary scope).
## Implications
The actor demonstrates persistence and adaptability, upgrading older tools (`Gh0stRat` variants) and successfully exploiting common vulnerabilities (unpatched edge devices, weak credentials). Their focus on military and governmental entities in a geopolitically sensitive region suggests a high-priority, sustained espionage effort relevant to China's strategic interests.
## Mitigations
* Strengthen credential hygiene practices across the organization.
* Maintain aggressive patching strategies for edge devices and all exposed web services.
* Implement robust detection mechanisms capable of identifying the specific TTPs associated with `SerialPktdoor`, `sharpJsHandler`, and the Gh0stRat variants.
* Monitor for the use of LNK files delivered via spear phishing attacks.