{
	"id": "95a32fe9-d769-464b-a211-4348de23b48b",
	"created_at": "2026-04-06T00:13:16.10909Z",
	"updated_at": "2026-04-10T13:12:08.366777Z",
	"deleted_at": null,
	"sha1_hash": "853034b92dd32f5a1783e41d375392e497c1a468",
	"title": "SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1348729,
	"plain_text": "SneakyChef espionage group targets government agencies with\r\nSugarGh0st and more infection techniques\r\nBy Chetan Raghuprasad\r\nPublished: 2024-06-21 · Archived: 2026-04-05 14:08:00 UTC\r\nFriday, June 21, 2024 08:00\r\nCisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor\r\nusing SugarGh0st malware, as early as August 2023.  \r\nIn the newly discovered campaign, we observed a wider scope of targets spread across countries in EMEA\r\nand Asia, compared with previous observations that mainly targeted South Korea and Uzbekistan.   \r\nSneakyChef uses lures that are scanned documents of government agencies, most of which are related to\r\nvarious countries’ Ministries of Foreign Affairs or embassies. \r\nBeside the two infection chains disclosed by Talos in November, we discovered an additional infection\r\nchain using SFX RAR files to deliver SugarGh0st.  \r\nThe language used in the SFX sample in this campaign reinforces our previous assertion that the actor is\r\nChinese speaking.   \r\nCisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in\r\nthis investigation. \r\nSneakyChef actor profile \r\nIn early August 2023, Talos discovered a campaign using the SugarGh0st RAT to target users in Uzbekistan and\r\nSouth Korea. We continued to observe new activities using the same malware to target users in a wider\r\ngeographical location. Therefore, we created an actor profile for the group and dubbed them “SneakyChef.” \r\nTalos assesses with medium confidence that SneakyChef operators are likely Chinese-speaking based on their\r\nlanguage preferences, the usage of the variants of Gh0st RAT — a popular malware among various Chinese-speaking actors — and the specific targets, which includes the Ministry of Foreign affairs of various countries and\r\nother government entities. Talos also discovered another RAT dubbed “SpiceRAT” used in the campaign. Read the\r\ncorresponding research here.\r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 1 of 13\n\nTargets across EMEA and Asia \r\nTalos assess with low confidence that the following government agencies are the potential targets in this campaign\r\nbased on the contents of the decoy documents: \r\nMinistry of Foreign affairs of Angola \r\nMinistry of Fisheries and Marine Resources of Angola  \r\nMinistry of Agriculture and Forestry of Angola \r\nMinistry of Foreign affairs of Turkmenistan \r\nMinistry of Foreign affairs of Kazakhstan \r\nMinistry of Foreign affairs of India \r\nEmbassy of the Kingdom of Saudi Arabia in Abu Dhabi \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 2 of 13\n\nMinistry of Foreign affairs of Latvia  \r\nMost of the decoy documents we found in this campaign are scanned documents of government agencies, which\r\ndo not appear to be available on the internet. During our research, we observed and analyzed various decoy\r\ndocuments with government-and research conference-themed lures in this campaign. We are sharing a few\r\nsamples of the decoy documents accordingly. \r\nLures targeting Southern African countries \r\nThe threat actor has used decoy documents impersonating the Ministry of Foreign affairs of Angola. The lure\r\ncontent in one of the sample documents appeared to be a circular from the Angolan Ministry of Fisheries and\r\nMarine Resources about a debt conciliation meeting between the ministry authority and a financial advisory\r\ncompany.  \r\nAnother document contained information about a legal decree concerning state or public assets and their disposal.\r\nThis document appealed to anyone interested in legal affairs and public heritage regimes and was addressed to the\r\nMinistry of Foreign Affairs – MIREX, a centralized institution in Luanda. \r\n \r\n \r\nLures targeting Central Asian countries \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 3 of 13\n\nThe decoy documents used in the attacks likely targeting countries in Central Asia were either impersonating the\r\nMinistry of Foreign affairs of Turkmenistan or Kazakhstan. One of the lures is related to a meeting organized with\r\nthe Turkmenistan embassy in Argentina and the heads of transportation and infrastructure of the Italian Republic.\r\nAnother document was a report of planned events and the government-issued list of priorities to be addressed in\r\nthe year 2024 that includes a formal proclamation-signing event between the Ministry of Defense of Uzbekistan\r\nand the Ministry of Defense of Kazakhstan. \r\n \r\n \r\nLures targeting Middle Eastern countries \r\nA decoy document we observed in the attack likely targeting Middle Eastern countries was an official circular\r\nregarding the declaration of an official holiday for the Founding Day of the Kingdom of Saudi Arabia.  \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 4 of 13\n\nLures targeting Southern Asian countries \r\nWe found another sample that was likely used to target the Indian Ministry of Foreign Affairs. It has decoy\r\ndocuments, including an Indian passport application form, along with a copy of an Aadhar card, a document that\r\nserves as proof of identity in India.  \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 5 of 13\n\nOne of the decoy Word documents we observed contained lures related to India-U.S. relations, including a list of\r\nevents involving interactions between India’s prime minister and the U.S. president. \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 6 of 13\n\nLures targeting European countries \r\nA decoy document found in a sample likely targeting the Ministry of Foreign Affairs of Latvia was a circular\r\nimpersonating the Embassy of Lithuania. It contained a lure document regarding an announcement of an\r\nambassador’s absence and their replacement. \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 7 of 13\n\nOther targets \r\nAlong with the government-themed decoy document samples we analyzed, we observed a few other samples from\r\nthese campaigns. These included decoys such as an application form to register for a conference run by the\r\nUniversal Research Cluster (URC) and a research paper abstract of the ICCSE international conference. We also\r\nsaw a few other decoys related to other conference invitations and details, including those for the Political Science\r\nand International Relations conference.   \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 8 of 13\n\nRecently, Proofpoint researchers reported a SugarGh0st campaign targeting an organization in the U.S. involved in\r\nartificial intelligence across academia, the private technology sector, and government services, highlighting the\r\nwider adoption of SugarGh0st RAT in targeting various business verticals. \r\nThreat actor continues to leverage old and new C2 domains \r\nAfter Talos’ initial disclosure of SugarGh0st campaign in November 2023, we are attributing the past attacks to\r\nthe newly named threat actor SneakyChef. Despite our disclosure, SneakyChef continued to use the C2 domain\r\nwe mentioned and deployed the new samples in the following months after our blog post. Most of the samples\r\nobserved in this campaign communicate with the C2 domain account[.]drive-google-com[.]tk, consistent with\r\ntheir previous campaign. Based on Talos’ Umbrella records, resolutions to the C2 domain were still observed until\r\nmid-May.  \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 9 of 13\n\nDNS requests for the SugarGh0st C2 domain. \r\nTalos also observed the new domain account[.]gommask[.]online, reported by Proofpoint as being used by\r\nSugarGh0st. The domain was created in March 2024, and queries were observed through April 21.  \r\nInfection chain abuse SFX RAR as the initial attack vector \r\nWith Talos’ first reporting of the SugarGh0st campaign in November, we disclosed two infection chains that\r\nutilized a malicious RAR with an LNK file, likely delivered via phishing email. In the newly observed campaign,\r\nin addition to the old infection chains, we discovered a different technique from a few malicious RAR samples.  \r\nThe threat actor is using an SFX RAR as the initial vector in this attack. When a victim runs the executable, the\r\nSFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into\r\nthe victim’s user profile temporary folder and executes the malicious VB script.  \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 10 of 13\n\nThe malicious VB script establishes persistence by writing the command to the registry key\r\nUserInitMprLogonScript which executes when a user belonging to either a local workgroup or domain logs into\r\nthe system. \r\nHKCU\\Environment\\UserInitMprLogonScript  regsvr32.exe /s %temp%\\update.dll \r\nWhen a user logs into the system, the command runs and launches the loader DLL “update.dll” using\r\nregsvr32.exe. The loader reads the encrypted SugarGg0st RAT “authz.lib”, decrypts it and injects it into a process.\r\nThis technique is same as that of the SugarGh0st campaign disclosed by the Kazakhstan government in February. \r\nCoverage \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 11 of 13\n\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SID for this threat is 62647. \r\nClamAV detections are also available for this threat: \r\nWin.Trojan.SugarGh0stRAT-10014937-0 \r\nWin.Tool.DynamicWrapperX-10014938-0 \r\nTxt.Loader.SugarGh0st_Bat-10014939-0 \r\nWin.Trojan.SugarGh0stRAT-10014940-0 \r\nLnk.Dropper.SugarGh0stRAT-10014941-0 \r\nJs.Trojan.SugarGh0stRAT-10014942-1 \r\nWin.Loader.Ramnit-10014943-1 \r\nWin.Backdoor.SugarGh0stRAT-10014944-0 \r\nWin.Trojan.SugarGh0st-10030525-0 \r\nWin.Trojan.SugarGh0st-10030526-0 \r\nOrbital Queries \r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries related to this threat, please follow the links: \r\nSugarGh0st RAT file detected \r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 12 of 13\n\nSugarGh0st RAT Registry key  \r\nIndicators of Compromise \r\nIndicators of Compromise associated with this threat can be found here \r\nSource: https://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nhttps://blog.talosintelligence.com/sneakychef-sugarghost-rat/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/sneakychef-sugarghost-rat/"
	],
	"report_names": [
		"sneakychef-sugarghost-rat"
	],
	"threat_actors": [
		{
			"id": "784ccdda-6196-40a3-a269-4e9cf8c2dd1c",
			"created_at": "2024-06-25T02:00:05.044608Z",
			"updated_at": "2026-04-10T02:00:03.661349Z",
			"deleted_at": null,
			"main_name": "SneakyChef",
			"aliases": [],
			"source_name": "MISPGALAXY:SneakyChef",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/853034b92dd32f5a1783e41d375392e497c1a468.pdf",
		"text": "https://archive.orkl.eu/853034b92dd32f5a1783e41d375392e497c1a468.txt",
		"img": "https://archive.orkl.eu/853034b92dd32f5a1783e41d375392e497c1a468.jpg"
	}
}