{"id":163566,"date":"2024-05-23T08:55:01","date_gmt":"2024-05-23T08:55:01","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=163566"},"modified":"2024-05-23T08:55:02","modified_gmt":"2024-05-23T08:55:02","slug":"chinese-unfading-sea-haze-apt","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/163566\/apt\/chinese-unfading-sea-haze-apt.html","title":{"rendered":"Chinese actor ‘Unfading Sea Haze’ remained undetected for five years<\/gwmw>"},"content":{"rendered":"
<\/div>\n

A previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ has been targeting military and government entities since 2018.<\/h2>\n\n\n\n

Bitdefender researchers discovered a previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ that has been targeting military and government entities since 2018. The threat group focuses on entities in countries in the South China Sea, experts noticed TTP overlap with operations attributed to APT41<\/a>.<\/gwmw><\/p>\n\n\n\n

Bitdefender identified a troubling trend, attackers repeatedly regained access to compromised systems, highlighting vulnerabilities such as poor credential hygiene and inadequate patching practices.<\/p>\n\n\n\n

Unfading Sea Haze remained undetected for over five years, despite extensive artifact cross-referencing and public report analysis, no traces of their prior activities were found. <\/p>\n\n\n\n

Unfading Sea Haze’s targets confirms an alignment with Chinese interests. The group utilized various variants of the Gh0st RAT<\/a>, commonly associated with Chinese actors.<\/p>\n\n\n\n

A notable technique involved running JScript code through SharpJSHandler, similar to a feature in the “funnyswitch” backdoor linked to APT41. Both methods involve loading .NET assemblies and executing JScript code, suggesting shared coding practices among Chinese threat actors. <\/p>\n\n\n\n

However, these findings indicate a sophisticated threat actor possibly connected to the Chinese cyber landscape. <\/gwmw><\/p>\n\n\n\n

The researchers cannot determine the initial method used by Unfading Sea Haze to infiltrate victim systems because the initial breach happened over six years ago, making hard to recover forensic evidence.<\/p>\n\n\n\n

However, the researchers determined that one of methods used by the threat actors to regaining access to the target organizations are spear-phishing emails. The messages use specially crafted archives containing LNK files disguised as regular documents. When clicked, the LNK files would execute malicious commands. The experts observed multiple spear-phishing attempts between March and May 2023.<\/p>\n\n\n\n

Some of the email attachment names used in the attacks are:<\/p>\n\n\n\n