{
	"id": "f8dd6dd5-837b-41c5-9542-2d390c6bc5e0",
	"created_at": "2026-04-06T00:15:07.529709Z",
	"updated_at": "2026-04-10T13:12:27.789659Z",
	"deleted_at": null,
	"sha1_hash": "f014b2cd7ac837e89bf28ae02cd77d7ba1573117",
	"title": "Newly Detected Chinese Group Targeting Military, Government Entities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97048,
	"plain_text": "Newly Detected Chinese Group Targeting Military, Government\r\nEntities\r\nBy Ionut Arghire\r\nPublished: 2024-05-23 · Archived: 2026-04-05 17:31:38 UTC\r\nA Chinese threat actor has been targeting military and government entities in South China Sea countries\r\nfor at least six years, Bitdefender reports.\r\nDubbed Unfading Sea Haze (PDF), focused on espionage, and capable of regaining access to the compromised\r\nenvironments, the hacking group has remained under the radar since 2018 using new and improved tools, tactics,\r\nand techniques (TTPs).\r\nWhile the initial intrusion vector employed by Unfading Sea Haze is not known, the threat actor has been\r\nobserved employing spear-phishing in some attacks, followed by the deployment of custom malware and tools.\r\nSpear-phishing emails employed in attacks over the past year included malicious archives containing LNK files\r\ndesigned to execute malicious commands instead, leading to the deployment of malware.\r\nFor persistence, Unfading Sea Haze used scheduled tasks coupled with the manipulation of local administrator\r\naccounts. The attackers attempted to enable/disable the administrator accounts, reset its password, and hide it from\r\nthe login screen.\r\nAdditionally, the threat actor has been observed using commercially available remote monitoring and management\r\n(RMM) tools, such as ITarian RMM, to gain access to the victim networks.\r\nAdvertisement. Scroll to continue reading.\r\n“We also found evidence suggesting the attacker may have established persistence on web servers, including both\r\nWindows IIS and Apache httpd. Potential methods include web shells or malicious modules designed for these\r\nhttps://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/\r\nPage 1 of 2\n\nweb server platforms (IIS modules and httpd modules),” Bitdefender notes.\r\nBetween 2018 and 2023, Unfading Sea Haze relied on two Gh0st RAT variants named SilentGh0st and\r\nTranslucentGh0st, and on variants of the .NET agent SharpJSHandler, which was supported by a loader named\r\nPs2dllLoader to execute payloads in memory.\r\nLast year, the threat actor replaced Ps2dllLoader with a new fileless attack mechanism and switched to more\r\nmodular (plugin-based) variants of Gh0st RAT, namely FluffyGh0st, InsidiousGh0st, and EtherealGh0st.\r\nThe backdoors support commands for file and folder manipulation, command execution, file download and\r\nupload, and data harvesting, but the adversary was also seen employing other custom malware and various tools\r\nfor keylogging, browser data harvesting, and data exfiltration.\r\nAccording to Bitdefender, Unfading Sea Haze has hit at least eight government and military organizations in the\r\nSouth China Sea region, and its activities appear aligned with Beijing’s interests, suggesting it could be a nation-state adversary operating out of China.\r\nFurthermore, the use of Gh0st RAT variants has been linked to Chinese threat actors before, and the sharing of\r\nresources between Chinese hacking groups, as well as overlaps with APT41’s tooling reinforce the assumption\r\nthat Unfading Sea Haze is a Chinese adversary.\r\nRelated: Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report\r\nRelated: Chinese Cyberspies Targeting ASEAN Entities\r\nRelated: Chinese APT Hacks 48 Government Organizations\r\nSource: https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/\r\nhttps://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/"
	],
	"report_names": [
		"newly-detected-chinese-group-targeting-military-government-entities"
	],
	"threat_actors": [
		{
			"id": "f51de4ba-d3f5-4df7-ab5a-034b32584e48",
			"created_at": "2024-06-20T02:02:10.208158Z",
			"updated_at": "2026-04-10T02:00:04.960754Z",
			"deleted_at": null,
			"main_name": "Unfading Sea Haze",
			"aliases": [],
			"source_name": "ETDA:Unfading Sea Haze",
			"tools": [
				"DustyExfilTool",
				"EtherealGh0st",
				"FluffyGh0st",
				"InsidiousGh0st",
				"Ps2dllLoader",
				"SerialPktdoor",
				"SharpJSHandler",
				"SharpZulip",
				"SilentGh0st",
				"Stubbedoor",
				"TranslucentGh0st",
				"xkeylog"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cd48e0e6-b206-478d-bcb4-198be54bdf7a",
			"created_at": "2024-06-07T02:00:04.002734Z",
			"updated_at": "2026-04-10T02:00:03.644376Z",
			"deleted_at": null,
			"main_name": "Unfading Sea Haze",
			"aliases": [],
			"source_name": "MISPGALAXY:Unfading Sea Haze",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f014b2cd7ac837e89bf28ae02cd77d7ba1573117.pdf",
		"text": "https://archive.orkl.eu/f014b2cd7ac837e89bf28ae02cd77d7ba1573117.txt",
		"img": "https://archive.orkl.eu/f014b2cd7ac837e89bf28ae02cd77d7ba1573117.jpg"
	}
}