A new cyber threat actor, suspected of ties to China, has been targeting military and government organizations in South China Sea countries since 2018, according to Romanian cybersecurity company Bitdefender.
“The targets and nature of the attacks suggest alignment with Chinese interests,” the report reads.
“No other overlaps with APT41’s known tools were identified. This single similarity could be another indication of shared coding practices within the Chinese cyber threat scene,” the report reads.
Unfading Sea Haze has targeted at least eight victims, including mostly military and government targets since 2018, the report states, and it has “repeatedly regained access to compromised systems.”
One method that the group has used to infiltrate target systems is sending spear-phishing emails with malicious ZIP archives.
“These archives contained LNK files disguised as regular documents. When clicked, these LNK files would execute malicious commands,” the report reads.
Some of the ZIP archive names have included “Data,” “Doc,” and “Startechup_fINAL,” according to the report.
The threat group’s attackers began using new ZIP archive names in March 2024, including “Assange_Labeled_an_‘Enemy’_of_the_US_in_Secret_Pentagon_Documents102” and “Presidency of Barack Obama.” Other ZIPs were misleadingly named as installers, updaters, and documents of Microsoft Windows Defender.
After gaining access to targeted systems, Unfading Sea Haze has used “a combination of custom and off-the-shelf tools” to collect data.
One custom tool is a keylogger named “xkeylog” to capture keystrokes on victim machines. Another custom tool is a browser data sealer to target data stored in Google Chrome, Firefox, Microsoft Edge, or Internet Explorer.
A third custom tool allowed Unfading Sea Haze to monitor the presence of portable devices on compromised systems.
“The tool checks for portable devices every 10 seconds. If a WPD or USB is mounted, it gathers details about the device, and sends them using HTTP GET request to an attacker-controlled server,” the report explains.
Unfading Sea Haze has also collected data from messaging apps including Telegram and Viber, according to the report. The group also has used the RAR compression tool to manually collect data.
“This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” the report reads.
The threat group went undetected for more than five years, a phenomenon that the report said “is particularly concerning,” and the attackers have “demonstrated a sophisticated approach to cyberattacks.”
The researchers said they publicized their findings on Unfading Sea Haze because they “want to help the security community with the knowledge to detect and disrupt their espionage efforts.”
The report ended with some recommendations on how to mitigate risks posed by Unfading Sea Haze and other similar threat actors. Prioritizing patch management, enforcing strong password policies, monitoring network traffic, and collaborating with the cybersecurity community are among the tips offered by Bitdefender researchers.
