{ "id": "2081da8e-8714-4773-9a54-b555db11c914", "created_at": "2026-04-06T00:08:34.827744Z", "updated_at": "2026-04-10T03:33:24.133066Z", "deleted_at": null, "sha1_hash": "90d4da72982c78083f2fbd0efdb61c8ef8175522", "title": "Chinese hackers hide on military and govt networks for 6 years", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2785956, "plain_text": "Chinese hackers hide on military and govt networks for 6 years\r\nBy Bill Toulas\r\nPublished: 2024-05-22 · Archived: 2026-04-05 12:49:55 UTC\r\nA previously unknown threat actor dubbed \"Unfading Sea Haze\" has been targeting military and government entities in the\r\nSouth China Sea region since 2018, remaining undetected all  this time.\r\nBitdefender researchers who discovered the threat group report that its operations align with Chinese geo-political interests,\r\nfocusing on intelligence collection and espionage.\r\nAs is typical for Chinese state-sponsored threat actors, \"Unfading Sea Haze\" demonstrates operational, TTP, and toolset\r\noverlaps with other activity clusters, most notably, APT41.\r\nhttps://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAbusing MSBuild for fileless malware\r\nUnfading Sea Haze attacks start with spear-phishing emails carrying malicious ZIP archives that contain LNK files\r\ndisguised as documents.\r\nAs of March 2024, the latest lures used in these attacks concern U.S. political topics, while the ZIPs were deceptively named\r\nto appear as Windows Defender installers/updaters.\r\nThese LNK files contain a long obfuscated PowerShell command that will check for the presence of an ESET executable,\r\nekrn.exe, and if it exists, halts the attack.\r\nIf the executable is not found, the PowerShell script will perform an interesting trick to launch fileless malware directly into\r\nmemory using Microsoft's legitimate msbuild.exe command-line compiler.\r\n\"In this attack, the criminals start a new MSBuild process with a twist: they specify a working directory located on a remote\r\nSMB server (like \\154.90.34.83\\exchange\\info in the above example),\" explains Bitdefender.\r\n\"By setting the working directory to a remote location, MSBuild will search for a project file on that remote server. If a\r\nproject file is found, MSBuild will execute the code it contains entirely in memory, leaving no traces on the victim's\r\nmachine.\"\r\nAbusing msbuild.exe to launch fileless malware\r\nSource: Bitdefender\r\nThat code executed by MSBuild is a backdoor program named 'SerialPktdoor,' which gives the attackers remote control over\r\nthe compromised system.\r\nThe attack also employs scheduled tasks that execute innocuous files to side-load malicious DLLs and use local\r\nadministrator account manipulation to maintain persistence.\r\nSpecifically, the hackers reset the password for the local administrator account, which is disabled by default in Windows,\r\nand enable it. The account is then again hidden from the login screen via Registry modifications. \r\nThis provides the threat actors with a hidden admin account that can be used to further their attacks.\r\nBitdefender highlights the atypical strategy of using commercial Remote Monitoring and Management (RMM) tools, like\r\nthe Itarian RMM, in the attack chain to gain a foothold on the compromised network.\r\nUnfading Sea Haze's Arsenal\r\nOnce access has been established, Unfading Sea Haze uses a custom keylogger named 'xkeylog' to capture the victim's\r\nkeystrokes, an info-stealer targeting data stored in Chrome, Firefox, or Edge, and various PowerShell scripts that extract\r\ninformation from the browser database.\r\nhttps://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/\r\nPage 3 of 5\n\nExtracting encrypted data from Chrome\r\nSource: Bitdefender\r\nStarting in 2023, the hackers moved to stealthier tools like the abuse of msbuild.exe to load C# payloads from remote SMB\r\nshares, as well as variants of the Gh0stRAT malware.\r\nBitdefender has seen the deployment of:\r\nSilentGh0st – The oldest variant offering extensive functionality through a rich set of commands and modules\r\nInsidiousGh0st – Go-based evolution of SilentGh0st that also features TCP proxy, SOCKS5, and PowerShell\r\nimprovements.\r\nTranslucentGh0st, EtherealGh0st, and FluffyGh0st – Newest variants featuring dynamic plugin loading and\r\nlighter footprint for evasive operation.\r\nGh0stRAT variants deployment timeline\r\nSource: Bitdefender\r\nIn earlier attacks, the hacker also used Ps2dllLoader, a tool that loads .NET or PowerShell code into memory, and\r\n'SharpJSHandler,' a web shell that listens for HTTP requests and executes encoded JavaScript code.\r\nInterestingly, a custom tool checks for newly plugged USB and Windows Portable Devices (WPD) every ten seconds and\r\nsends device details and specific files to the attackers.\r\nTo exfiltrate data from breached systems, Unfading Sea Haze uses a custom tool named 'DustyExfilTool' that performs\r\nsecure data extraction via TLS over TCP.\r\nMore recent attacks show that the threat actors have switched to a curl utility and the FTP protocol for data exfiltration, now\r\nalso using dynamically generated credentials that are changed frequently.\r\nUnfading Sea Haze shows stealth, persistence, and adaptability, leveraging fileless attacks, advanced evasion methods, and\r\nmodular malware design.\r\nTo stop these attacks, organizations must adopt a multifaceted security strategy involving patch management, MFA adoption,\r\nnetwork segmentation, traffic monitoring, and deployment of state-of-the-art detection and response products.\r\nhttps://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/\r\nhttps://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/" ], "report_names": [ "unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years" ], "threat_actors": [ { "id": "f51de4ba-d3f5-4df7-ab5a-034b32584e48", "created_at": "2024-06-20T02:02:10.208158Z", "updated_at": "2026-04-10T02:00:04.960754Z", "deleted_at": null, "main_name": "Unfading Sea Haze", "aliases": [], "source_name": "ETDA:Unfading Sea Haze", "tools": [ "DustyExfilTool", "EtherealGh0st", "FluffyGh0st", "InsidiousGh0st", "Ps2dllLoader", "SerialPktdoor", "SharpJSHandler", "SharpZulip", "SilentGh0st", "Stubbedoor", "TranslucentGh0st", "xkeylog" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "cd48e0e6-b206-478d-bcb4-198be54bdf7a", "created_at": "2024-06-07T02:00:04.002734Z", "updated_at": "2026-04-10T02:00:03.644376Z", "deleted_at": null, "main_name": "Unfading Sea Haze", "aliases": [], "source_name": "MISPGALAXY:Unfading Sea Haze", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775792004, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90d4da72982c78083f2fbd0efdb61c8ef8175522.pdf", "text": "https://archive.orkl.eu/90d4da72982c78083f2fbd0efdb61c8ef8175522.txt", "img": "https://archive.orkl.eu/90d4da72982c78083f2fbd0efdb61c8ef8175522.jpg" } }