May 23, 2024 at 07:22AM
A Chinese threat group known as Unfading Sea Haze has been targeting military and government entities in the South China Sea for over six years, utilizing sophisticated tools and tactics including spear-phishing, backdoors, and commercially available remote monitoring and management tools. The group’s activities align with Beijing’s interests, indicating potential involvement by a nation-state adversary.
Key Takeaways from the Meeting Notes:
1. The threat actor, known as Unfading Sea Haze, has been targeting military and government entities in South China Sea countries for at least six years, focusing on espionage and utilizing new and improved tools, tactics, and techniques (TTPs) since 2018.
2. Unfading Sea Haze employs various intrusion techniques including spear-phishing, deployment of custom malware and tools, use of commercially available remote monitoring and management (RMM) tools, and establishing persistence on web servers.
3. Between 2018 and 2023, Unfading Sea Haze utilized Gh0st RAT variants named SilentGh0st and TranslucentGh0st, .NET agent SharpJSHandler, and more recently switched to modular (plugin-based) variants of Gh0st RAT – FluffyGh0st, InsidiousGh0st, and EtherealGh0st.
4. The threat actor’s activities appear to align with Beijing’s interests, suggesting it could be a nation-state adversary operating out of China.
5. The use of Gh0st RAT variants has been linked to Chinese threat actors before, and there are overlaps with APT41’s tooling, reinforcing the assumption that Unfading Sea Haze is a Chinese adversary.