Unfading Sea Haze: New Espionage Campaign in the South China Sea

Bitdefender researchers investigated a series of incidents at high-level organizations in countries of the South China Sea region, all performed by the same  threat actor we track as Unfading Sea Haze. Based on the victimology and the cyber-attack’s aim, we believe the threat actor is aligned with China’s interests.
As tensions in the region rise, they are reflected in the intensification of activity on behalf of the Unfading Sea Haze actor, which uses new and improved tools and TTPs.

We noticed multiple times that the actor was regaining access to the victim’s systems either because of improper credential hygiene or because of bad patching strategies of the edge devices and exposed web services. Thus, this publication intends to raise awareness of the importance of respecting essential best practices that ensure security and to share with the community information that could help detect and disrupt Unfading Sea Haze’s espionage activities.

Key findings

The Unfading Sea Haze impacted at least 8 military and government organizations, a threat actor that has been active at least since 2018.

• One of the infection vectors used by Unfading Sea Haze is spear phishing with zip archives containing lnk deploying SerialPktdoor backdoor.
• The tools of choice for Unfading Sea Haze’s post-compromise activity are .net payloads sharpJsHandler and SerialPktDoor and two variations of the Gh0stRat—EtherealGh0st and FluffyGh0st—which evolved from two other old variants, TranslucentGh0st and SilentGh0st, used by the threat actor since at least 2018.
• The actor uses the legitimate RMM, presumably as a backup access point into the victim’s network.
• The aim of the activity is espionage, the actor presenting an interest in doc, docx, pdf, txt, and ppt files, also targeting browser data and cookies, and exfiltrating Telegram, Viber, and other messaging app files

A full analysis of the attack is available in the whitepaper below:

Download the whitepaper [PDF]

Indicators of compromise

Currently known indicators of compromise can be found in the whitepaper. Bitdefender Threat Intelligence customers can access enriched, contextual insights about this attack. The Threat ID BDx8y3ujm3X in the Bitdefender IntelliZone portal includes additional TTPs and visualizations. For more information about Bitdefender Threat Intelligence solution visit our product page.