Unfading Sea Haze

Unfading Sea Haze is a Bitdefender-tracked espionage threat actor assessed as Chinese-nexus/China-aligned, with activity traced back to at least 2018. The group has targeted primarily government and military organizations in countries in the South China Sea region, with at least eight victims reported. Reporting describes the actor as focused on long-term access and repeated re-compromise of victim environments, with targeting and operations aligned with Chinese interests. Bitdefender reported no clear public linkage to a previously identified actor, but noted use of Gh0st RAT-derived tooling common in the Chinese cyber ecosystem and an isolated technique similarity to an APT41-linked backdoor. Other reporting linked related activity overlaps to Sophos Cluster Bravo/STAC1807 and Palo Alto Networks CL-STA-1049. EtherealGh0st is associated with Unfading Sea Haze, and FluffyGh0st is also reported as associated with the group. Observed initial access and delivery included spear-phishing emails delivering malicious ZIP archives containing LNK files disguised as documents, with lures observed in 2023 and March 2024, including Microsoft Defender-themed and U.S. political themes. One LNK chain checked for the ESET process ekrn.exe before proceeding. The actor also used a fileless technique in which PowerShell launched MSBuild.exe with a working directory on a remote SMB share so a remote project file executed in memory; SerialPktdoor was identified in this chain. The original initial compromise vector for older intrusions remains unknown. Persistence and access maintenance included scheduled tasks with names mimicking legitimate Windows components, DLL sideloading, abuse of the Windows Perception Simulation Service via a malicious hid.dll, manipulation of local Administrator accounts by enabling the account, resetting its password, and hiding it via the Winlogon SpecialAccounts\UserList registry key, and use of the commercial ITarian RMM tool since at least September 2022. Bitdefender also found indications of possible persistence on IIS and Apache httpd web servers, though the exact mechanism was not confirmed. Tooling reported from 2018 to 2023 included SilentGh0st, TranslucentGh0st, SharpJSHandler, and the Ps2dllLoader loader. Starting in 2023, the actor shifted toward more modular and fileless tradecraft, including FluffyGh0st, InsidiousGh0st, and EtherealGh0st. Additional custom tooling included xkeylog, a browser data stealer, a USB/WPD monitoring tool, and DustyExfilTool. Reported capabilities included command execution, file and folder manipulation, upload/download, data harvesting, keylogging, browser data theft, and exfiltration. Exfiltration reportedly evolved from DustyExfilTool over TLS/TCP through January 2022 to curl and FTP, later using more frequently changed randomly generated FTP credentials. Related reporting noted overlap between Unfading Sea Haze and activity clusters in other investigations. Sophos reported Cluster Bravo's CCoreDoor overlapped with Bitdefender's EtherealGh0st/Unfading Sea Haze reporting, including shared infrastructure. Palo Alto Networks reported CL-STA-1049 used a novel Hypnosis loader in a DLL sideloading chain to deploy what was assessed as likely FluffyGh0st, with strong overlap to Unfading Sea Haze.