Unfading Sea Haze

Unfading Sea Haze is a previously unknown, espionage-focused threat actor tracked by Bitdefender, with activity traced to at least 2018. It has targeted at least eight victims, primarily military and government organizations in South China Sea countries and Southeast Asia. Based on victimology, tooling, and overlaps with other reporting, the activity is assessed as China-aligned and aligned with Chinese interests; Bitdefender stated the targeting and nature of the attacks suggest alignment with Chinese interests, but did not definitively match the actor to a previously identified group. The actor has demonstrated long-term persistence and repeated re-compromise of victim environments. Reported persistence and access techniques include spear-phishing with ZIP archives containing malicious LNK files, scheduled tasks masquerading as legitimate Windows components, DLL sideloading, manipulation of local Administrator accounts by enabling disabled accounts, resetting passwords, and hiding accounts via the Winlogon SpecialAccounts\UserList registry key, and use of the commercial ITarian RMM tool since at least September 2022. Bitdefender also found indications of possible persistence on Windows IIS and Apache httpd web servers, though the exact mechanism was not confirmed. A fileless technique was observed in which PowerShell launched MSBuild.exe with a working directory on a remote SMB share so a remote project file would execute in memory. Its malware ecosystem includes multiple Gh0st RAT-derived families and .NET payloads. From at least 2018 through 2023, reported tooling included SilentGh0st, TranslucentGh0st, SharpJSHandler, and the Ps2dllLoader loader. Starting in 2023, the actor shifted toward more modular and fileless tooling, including FluffyGh0st, InsidiousGh0st, and EtherealGh0st. Additional tools reported in Bitdefender’s investigation include SerialPktdoor, xkeylog, a browser data stealer, a USB/WPD monitoring tool, and DustyExfilTool. Unit 42 reported CL-STA-1049 activity using a novel Hypnosis loader in a DLL sideloading chain to deploy what it assessed was likely FluffyGh0st RAT, and stated this cluster overlapped with the China-aligned group known as Unfading Sea Haze. Sophos reported that EtherealGh0st corresponds to malware it tracked as CCoreDoor, and noted overlap between Cluster Bravo activity and Bitdefender’s Unfading Sea Haze reporting. Observed capabilities include command execution, file transfer and manipulation, reverse shell functionality, keylogging, browser data theft, collection of clipboard and network information, and data exfiltration. Exfiltration reportedly evolved from the custom DustyExfilTool over TLS/TCP from 2018 to January 2022 to curl and FTP, with later use of more frequently changed, randomly generated FTP credentials. Bitdefender also reported use of lures themed as Microsoft Defender installers and U.S. political topics, and one LNK chain that checked for the ESET process ekrn.exe before proceeding. Known aliases and related names directly mentioned in the reporting include EtherealGh0st as malware associated with the actor; FluffyGh0st, InsidiousGh0st, SilentGh0st, and TranslucentGh0st as associated malware families; and overlap with Unit 42 cluster CL-STA-1049.