Threat Research

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

BitDefender

Bitdefender Labs uncovered a previously unknown threat actor, dubbed Unfading Sea Haze, targeting government and military organizations in South China Sea countries with Gh0st RAT–based tools and evolving .NET payloads. The campaign shows long-running activity (since 2018) with in-memory execution and shifting tactics to evade detection, suggesting ties to the broader Chinese cyber ecosystem. #UnfadingSeaHaze #Gh0stRAT #SharpJSHandler #Ps2dllLoader #DustyExfilTool #xkeylog #MSBuild

Keypoints

  • New threat actor Unfading Sea Haze identified; targets are government/m military in South China Sea; activity traces back to 2018; likely aligned with Chinese interests.
  • Attack tooling includes Gh0st RAT variants and .NET payloads; evolution toward modular Gh0st variants (FluffyGh0st, InsidiousGh0st, EtherealGh0st) and in-memory, MSBuild–based execution
  • Initial compromise known only in part; spear-phishing emails with malicious ZIP archives containing LNK files used to trigger execution in 2023.
  • Persistence relies on scheduled tasks with DLL sideloading (e.g., mspaint renamed as ServerManager.exe; malicious HID.dll) and a perceptionsimulation service to trigger the DLL load.
  • There are indications of web server persistence (IIS/Apache) via web shells or modules, though exact methods remain uncertain.
  • Data collection (xkeylog, browser data stealer, USB/WPD monitoring) and exfiltration (DustyExfilTool then curl/FTP, later dynamic credentials) show a broad espionage objective.
  • Threat actors have adopted ITarian RMM since Sept 2022 and use cloud-storage channels (DropBox/OneDrive) for C2 communications, complicating detection.
  • Bitdefender provides defense guidance: patch management, MFA/passwordless options, network segmentation/zero trust, multilayer defenses, logging, detection/response, threat intelligence, and collaboration.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “Spear-phishing emails with malicious archives. These archives contained LNK files disguised as regular documents. When clicked, these LNK files would execute malicious commands.”
  • [T1204.002] User Execution: Malicious File – “LNK files disguised as regular documents. When clicked, these LNK files would execute malicious commands.”
  • [T1059.001] PowerShell – “PowerShell command line similar to the one bellow” and use of hidden PowerShell to run commands.
  • [T1218.005] Signed Binary Proxy Execution: MsBuild – “By setting the working directory to a remote location, MSBuild will search for a project file on that remote server. If a project file is found, MSBuild will execute the code it contains entirely in memory…”
  • [T1574.002] DLL Side-loading – “DLL sideloading to load a malicious library (DLL file);” ServerManager.exe and msftedit.dll example.
  • [T1021.002] SMB/Windows Admin Shares – “remote SMB shares” used to host payloads and execute in memory via MSBuild.
  • [T1555.003] Credentials from Web Browsers – “Browser data stealer” extracting cookies and browser data; “parses internal browser database files” for data.
  • [T1056.001] Input Capture: Keylogging – “xkeylog Keylogger” capturing keystrokes.
  • [T1041] Exfiltration Over C2 Channel – “transmits the file to the specified server using TLS over TCP” for secure exfiltration.
  • [T1567.002] Exfiltration to Cloud Storage – “two variations that utilize cloud storage services for communication (DropBox and OneDrive).”

Indicators of Compromise

  • [IP Address] 167.71.199.105, 188.166.224.242 – observed as endpoints for exfil/command and control
  • [IP Address] 159.223.78.147, 128.199.166.143 – observed in exfil/communication infrastructure
  • [Domain] upupdate.ooguy[.]com, fc.adswt[.]com – used as C2 or fetch points
  • [Domain] bitdefenderupdate[.]org, auth.bitdefenderupdate[.]com – appeared in infrastructure and update-related artifacts
  • [MD5] cb95ad8fad82eac1c553cd2d7470100b, 19dbf2d82f6f95a73f1529636e775295 – Ps2dllLoader, SilentGh0st
  • [MD5] 1ce17f0e2a000a889b3f81e80b95f19f – DustyExfilTool
  • [File] Data.zipData.lnk – LNK inside ZIP used for initial access; install microsoft defender web protection archives as lure
  • [File] Recorded.log, and other logs referenced in PowerShell/Data extraction flows
  • [Process/Service] ekrn.exe (potential defense-evasion label) and perceptionsimulation service – indicators of scheduled task and sideloading activity
  • [URL] http://139.180.216[.]33/ico/error/? – exfiltration/monitoring beacon

Read more: https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/