{ "id": "63f1cf75-605f-48d6-8c8a-8e6023b0d667", "created_at": "2026-04-06T00:15:55.715367Z", "updated_at": "2026-04-10T13:11:23.533594Z", "deleted_at": null, "sha1_hash": "03c86a7c7f94749e4360b4c1fa8fcfd8e3abf87a", "title": "Unfading Sea Haze - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52241, "plain_text": "Unfading Sea Haze - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:48:11 UTC\r\nHome \u003e List all groups \u003e Unfading Sea Haze\r\n APT group: Unfading Sea Haze\r\nNames Unfading Sea Haze (Bitdefender)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(Bitdefender) Bitdefender researchers investigated a series of incidents at high-level\r\norganizations in countries of the South China Sea region, all performed by the same threat\r\nactor we track as Unfading Sea Haze. Based on the victimology and the cyber-attack’s aim, we\r\nbelieve the threat actor is aligned with China’s interests.\r\nAs tensions in the region rise, they are reflected in the intensification of activity on behalf of\r\nthe Unfading Sea Haze actor, which uses new and improved tools and TTPs.\r\nWe noticed multiple times that the actor was regaining access to the victim’s systems either\r\nbecause of improper credential hygiene or because of bad patching strategies of the edge\r\ndevices and exposed web services. Thus, this publication intends to raise awareness of the\r\nimportance of respecting essential best practices that ensure security and to share with the\r\ncommunity information that could help detect and disrupt Unfading Sea Haze’s espionage\r\nactivities.\r\nObserved\r\nSectors: Defense, Government.\r\nCountries: South China Sea region.\r\nTools used\r\nDustyExfilTool, EtherealGh0st, FluffyGh0st, InsidiousGh0st, Ps2dllLoader, SerialPktdoor,\r\nSharpJSHandler, SharpZulip, SilentGh0st, Stubbedoor, TranslucentGh0st, xkeylog.\r\nInformation\r\n\u003chttps://blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-Report-DeepDive-creat7721-en_EN.pdf\u003e\r\nLast change to this card: 18 June 2024\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c8eed73-c475-4eb2-a2b0-df46016d7446\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c8eed73-c475-4eb2-a2b0-df46016d7446\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c8eed73-c475-4eb2-a2b0-df46016d7446\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9c8eed73-c475-4eb2-a2b0-df46016d7446" ], "report_names": [ "showcard.cgi?u=9c8eed73-c475-4eb2-a2b0-df46016d7446" ], "threat_actors": [ { "id": "f51de4ba-d3f5-4df7-ab5a-034b32584e48", "created_at": "2024-06-20T02:02:10.208158Z", "updated_at": "2026-04-10T02:00:04.960754Z", "deleted_at": null, "main_name": "Unfading Sea Haze", "aliases": [], "source_name": "ETDA:Unfading Sea Haze", "tools": [ "DustyExfilTool", "EtherealGh0st", "FluffyGh0st", "InsidiousGh0st", "Ps2dllLoader", "SerialPktdoor", "SharpJSHandler", "SharpZulip", "SilentGh0st", "Stubbedoor", "TranslucentGh0st", "xkeylog" ], "source_id": "ETDA", "reports": null }, { "id": "cd48e0e6-b206-478d-bcb4-198be54bdf7a", "created_at": "2024-06-07T02:00:04.002734Z", "updated_at": "2026-04-10T02:00:03.644376Z", "deleted_at": null, "main_name": "Unfading Sea Haze", "aliases": [], "source_name": "MISPGALAXY:Unfading Sea Haze", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03c86a7c7f94749e4360b4c1fa8fcfd8e3abf87a.pdf", "text": "https://archive.orkl.eu/03c86a7c7f94749e4360b4c1fa8fcfd8e3abf87a.txt", "img": "https://archive.orkl.eu/03c86a7c7f94749e4360b4c1fa8fcfd8e3abf87a.jpg" } }