Cybersecurity researchers have uncovered a previously unknown threat group named Unfading Sea Haze, active since 2018, targeting high-level organizations in South China Sea countries, especially military and government entities.
“The investigation revealed a troubling trend beyond the historical context,” said the researcher, noting that the attackers have repeatedly regained access to compromised systems. This underscores a critical vulnerability: poor credential hygiene and inadequate patching practices on exposed devices and web services.
While the attack signatures do not directly overlap with those of any known hacking groups, there are indications that the threat actor behind the attacks operates with goals aligned with Chinese interests. This aligns with the victimology footprint, as countries like the Philippines and other organizations in the South Pacific have previously been targeted by the China-linked Mustang Panda actor.
The attacks also utilize various iterations of the Gh0st RAT malware, a trojan known to be used by Chinese-speaking threat actors.
One specific technique employed by Unfading Sea Haze involves running JScript code through a tool called SharpJSHandler, resembling a feature found in the ‘FunnySwitch’ backdoor, which has been linked to APT41. However, this similarity is isolated.
The exact initial access pathway used to infiltrate targets is currently unknown. However, Unfading Sea Haze has been observed regaining access to the same entities through spear-phishing emails containing booby-trapped archives. These archives launch the infection process by executing a command that retrieves the next-stage payload from a remote server. This payload is a backdoor dubbed SerialPktdoor, designed to run PowerShell scripts, enumerate directories, download/upload files, and delete files.
The attacks use scheduled tasks for persistence, with task names impersonating legitimate Windows files to run a harmless executable that is susceptible to DLL side-loading, loading a malicious DLL.
Additionally, Unfading Sea Haze has incorporated commercially available Remote Monitoring and Management (RMM) tools such as ITarian RMM since at least September 2022, a tactic not commonly observed among nation-state actors except for the Iranian MuddyWater group.
The group’s arsenal includes variants of Gh0st RAT such as SilentGh0st and InsidiousGh0st, as well as loader Ps2dllLoader, which can bypass the Antimalware Scan Interface (AMSI) and deliver SharpJSHandler. This loader listens for HTTP requests and executes encoded JavaScript code using the Microsoft.JScript library.
Another backdoor, Stubbedoor, launched by Ps2dllLoader, launches an encrypted .NET assembly received from a command-and-control (C2) server.
Unfading Sea Haze also deploys a keylogger called xkeylog, a web browser data stealer, a tool to monitor portable devices, and a custom data exfiltration program named DustyExfilTool.
Lastly, the group uses a third backdoor, SharpZulip, which utilizes the Zulip messaging service API to fetch commands for execution from a stream called “NDFUIBNFWDNSA,” indicating a focus on manual data exfiltration.
To protect against Unfading Sea Haze attacks, organizations should focus on improving credential hygiene and patching practices. Implementing email security measures, such as spam filters and user education on recognizing phishing attempts, can also help prevent initial access. Regular security audits and monitoring for suspicious activity are crucial for early detection and response.