Bitdefender researchers tracked the Unfading Sea Haze espionage activity targeting high-level military and government entities in the South China Sea region, noting ongoing tool and technique evolution aligned with China’s interests. The group regains access through weak credentials and poor patch management, using new malware and a legitimate RMM to maintain footholds while exfiltrating sensitive documents, browser data, and messaging app files. #UnfadingSeaHaze #Gh0stRat #SerialPktDoor #EtherealGh0st #FluffyGh0st
Keypoints
- Unfading Sea Haze impacted at least 8 military and government organizations in the South China Sea region and has been active since 2018.
- Spear phishing with zip archives containing lnk deploying SerialPktdoor backdoor is one infection vector used by the group.
- Post-compromise tooling includes .NET payloads SharpJsHandler and SerialPktDoor, plus Gh0stRat variants EtherealGh0st and FluffyGh0st (evolved from TranslucentGh0st and SilentGh0st).
- The actor uses a legitimate RMM as a backup access point into victims’ networks.
- Espionage goals focus on documents (doc/docx/pdf/txt/ppt), browser data, cookies, and exfiltration of Telegram, Viber, and other messaging app files.
- Access is regaining due to improper credential hygiene or poor patching of edge devices and exposed web services.
- Detailed findings and defense considerations are available in the accompanying whitepaper.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Spear phishing with zip archives containing lnk deploying SerialPktdoor backdoor. ‘One of the infection vectors used by Unfading Sea Haze is spear phishing with zip archives containing lnk deploying SerialPktdoor backdoor.’
- [T1078] Valid Accounts – The actor uses the legitimate RMM, presumably as a backup access point into the victim’s network. ‘The actor uses the legitimate RMM, presumably as a backup access point into the victim’s network.’
- [T1190] Exploit Public-Facing Application – Regaining access due to bad patching strategies of edge devices and exposed web services. ‘regaining access to the victim’s systems either because of improper credential hygiene or because of bad patching strategies of the edge devices and exposed web services.’
- [T1119] Automated Data Collection – Interest in documents (doc, docx, pdf, txt, ppt) and browser data/cookies. ‘the actor presenting an interest in doc, docx, pdf, txt, and ppt files, also targeting browser data and cookies.’
- [T1041] Exfiltration – Exfiltration of messaging app files (Telegram, Viber, and others). ‘exfiltrating Telegram, Viber, and other messaging app files.’
Indicators of Compromise
- [File name] context – SerialPktDoor backdoor, EtherealGh0st, and FluffyGh0st as observed artifacts or variants.
- [Threat Actor / Group] context – Unfading Sea Haze (threat actor tracked by Bitdefender).
- [Threat ID] BDx8y3ujm3X – Bitdefender IntelliZone threat ID with enriched TTPs and visualizations.
- [URL] context – https://blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-Report-DeepDive-creat7721-en_EN.pdf (whitepaper download).
- [URL] context – https://www.bitdefender.com/blog/labs/unfading-sea-haze-new-espionage-campaign-in-the-south-china-sea/ (Original Post source).