Connect with us

Hi, what are you looking for?



Newly Detected Chinese Group Targeting Military, Government Entities

Unfading Sea Haze has been targeting military and government entities in South China Sea countries since 2018.

Chinese cyber threats

A Chinese threat actor has been targeting military and government entities in South China Sea countries for at least six years, Bitdefender reports.

Dubbed Unfading Sea Haze (PDF), focused on espionage, and capable of regaining access to the compromised environments, the hacking group has remained under the radar since 2018 using new and improved tools, tactics, and techniques (TTPs).

While the initial intrusion vector employed by Unfading Sea Haze is not known, the threat actor has been observed employing spear-phishing in some attacks, followed by the deployment of custom malware and tools.

Spear-phishing emails employed in attacks over the past year included malicious archives containing LNK files designed to execute malicious commands instead, leading to the deployment of malware.

For persistence, Unfading Sea Haze used scheduled tasks coupled with the manipulation of local administrator accounts. The attackers attempted to enable/disable the administrator accounts, reset its password, and hide it from the login screen.

Additionally, the threat actor has been observed using commercially available remote monitoring and management (RMM) tools, such as ITarian RMM, to gain access to the victim networks.

“We also found evidence suggesting the attacker may have established persistence on web servers, including both Windows IIS and Apache httpd. Potential methods include web shells or malicious modules designed for these web server platforms (IIS modules and httpd modules),” Bitdefender notes.

Between 2018 and 2023, Unfading Sea Haze relied on two Gh0st RAT variants named SilentGh0st and TranslucentGh0st, and on variants of the .NET agent SharpJSHandler, which was supported by a loader named Ps2dllLoader to execute payloads in memory.

Advertisement. Scroll to continue reading.

Last year, the threat actor replaced Ps2dllLoader with a new fileless attack mechanism and switched to more modular (plugin-based) variants of Gh0st RAT, namely FluffyGh0st, InsidiousGh0st, and EtherealGh0st.

The backdoors support commands for file and folder manipulation, command execution, file download and upload, and data harvesting, but the adversary was also seen employing other custom malware and various tools for keylogging, browser data harvesting, and data exfiltration.

According to Bitdefender, Unfading Sea Haze has hit at least eight government and military organizations in the South China Sea region, and its activities appear aligned with Beijing’s interests, suggesting it could be a nation-state adversary operating out of China.

Furthermore, the use of Gh0st RAT variants has been linked to Chinese threat actors before, and the sharing of resources between Chinese hacking groups, as well as overlaps with APT41’s tooling reinforce the assumption that Unfading Sea Haze is a Chinese adversary.

Related: Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report

Related: Chinese Cyberspies Targeting ASEAN Entities

Related: Chinese APT Hacks 48 Government Organizations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights