2024-05-22 Deep Dive Into Unfading Sea Haze A New Threat Actor in the South China Sea

📃Title: Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea
📅Date: 2024-05-22
🔗References:

• https://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• topic: geopolitical
• target: broad-based
• MY-relevancy: relevant
• action-taken: diamond-model

🔖MISP Galaxies:

• producer Bitdefender
• threat-actor Unfading-Sea-Haze
• country=“china”
• target-information=“Brunei”
• target-information=“Indonesia”
• target-information=“Malaysia”
• target-information=“Philippines”
• target-information=“Taiwan”
• target-information=“Vietnam”
• malpedia=“Ghost RAT”
• malpedia=“SilentGh0st”
• mitre-attack-pattern=[‘T1059.001’, ‘T1566’, ‘T1053.005’, ‘T1053’, ‘T1036’, ‘T1574.002’, ‘T1112’, ‘T1100’, ‘T1056.001’]

MISP event uuid: cb8ca269-00c8-4df9-903d-3aeb20d0573a

Indicator of Compromise (IoCs)

type,value,comment
md5, cb95ad8fad82eac1c553cd2d7470100b, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 19dbf2d82f6f95a73f1529636e775295, 'SilentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, e7433f8a0943a6025d43473990ec8068, 'TranslucentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, ac7b8524098cbb423619706ff617b6a6, 'Network Scanner No sample in VT\r\nLast check:12/02/2026'
md5, 95701a74b6b3de68fc375cd08ae8d2c2, 'SilentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 7e10d7dd09f5ee2010990701db042f11, 'WPD USB monitor tool No sample in VT\r\nLast check:12/02/2026'
md5, a5af41fda8ef570fda96c64a932d4247, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 5421e3cef32e534fa74a26df1c753700, 'SharpJSHandler, OneDrive variant No sample in VT\r\nLast check:12/02/2026'
md5, 2c45c1c35c703bb923b558343f00ea34, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 69310040e872806cb2b00d3addb321a7, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 35623ba9f8fcbcf0fce96aa2465b0b66, 'SharpJSHandler No sample in VT\r\nLast check:12/02/2026'
md5, 828faccaaf8e70be1c32ae5588d3df12, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 4ec62fdd3d02bc9b81a8c78910b8463a, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, cff31de1b28f6b00d13d15c2be08a982, 'SharpJSHandler DropBox variant No sample in VT\r\nLast check:12/02/2026'
md5, 7ff8a134c1ee44c915339a74e4a2d3ca, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 0dd4603f7c3a80a2408e458fe58b2e60, 'InsidiousGh0st .NET variant No sample in VT\r\nLast check:12/02/2026'
md5, 11c7f264184ed52df4a3836a623845c8, 'TranslucentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 55a246ace9630b31c43964ebd551e5e2, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 8c31532f73671995d7f3b6d5814ba726, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 5268206fb6c96f614f67cd5d686f42af, 'TranslucentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cf2f7331a04bb9cd47b58a5c80d4c242, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3d87f0bd243cff931bb463fce1d115e3, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 98de3eeda1adefec31d3e3f00079dd2d, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b04d9dba3bc922a33c1408d4fbf80678, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 35a307b73849a3d7a7cd603a0c4698f2, 'SerialPktdoor loader No sample in VT\r\nLast check:12/02/2026'
md5, 3d879bc2fb28c5abbcd6e08b6e5dc762, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 7aba74bfbf5cb068fb52e8813c40f4cd, 'Xkeylog keylogger No sample in VT\r\nLast check:12/02/2026'
md5, 510c36c9061778d166e23177a191df35, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b6cd3d88a6d6886718b6113147a99901, 'Malicious C# script No sample in VT\r\nLast check:12/02/2026'
md5, 1179f589791c2eaa1ae33f38e62753d0, 'Malicious C# script No sample in VT\r\nLast check:12/02/2026'
md5, 0b744f9d38e125cd4fe14289272ac0e2, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 960a964cab127c4f3c726612fdeaeb08, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 1d2185c956a75a8628e310a38dea4001, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 7169179cc18e6aa6c2c36e4bee59f63d, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cf398f9780de020919daad9ca4a27455, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 96a43d13fd11464e9898af98cc5bb24b, 'Xkeylog keylogger No sample in VT\r\nLast check:12/02/2026'
md5, 14a88779c7e03ecfc19dd18221e25105, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 2bf96bd44942ca8beed04623a1e19e24, 'Hid.dll loader No sample in VT\r\nLast check:12/02/2026'
md5, fabdf1094b49673bc0f015cbb986bad5, 'Hid.dll loader No sample in VT\r\nLast check:12/02/2026'
md5, 00bcbeb6ffdadc50a931212eff424e19, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, e5fc13c39dd81e6de11d1c211f4413ba, 'Xkeylog keylogger No sample in VT\r\nLast check:12/02/2026'
md5, 9425f9f7cc393c492deb267c12d031c5, 'Hid Dropper No sample in VT\r\nLast check:12/02/2026'
md5, 551bda0f19bf2705f5f7bd52dcbc021f, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 654163ab9002bd06f68a9f41123b1cd4, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, fda22f52f0d3a81f095a00810a3dd70a, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cf5f2e3e1ce82e75a2d0885af5efa1ef, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3631001b60bdf712e6294d40ec777d87, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 4e470ea6d7d7da6dd4147c8e948df7c8, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 73daf06fed93d542af04d59a4545fab0, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 100c461d79471c96eba20c8eae35c5ba, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 40466fd795360ac4270751d8c4500c39, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cb9e6fa194b8fa2ef5b6b19e0bd6873e, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, af215f4670ae190e699c27e5205aadee, 'Eventlog info extractor No sample in VT\r\nLast check:12/02/2026'
md5, 39d43f21b3c2b9f94165f5257b229fb4, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3dc8d8a70cc60a2376ce5c555d242cf3, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 6f01bed0b875069ec5b9650e6d8c416f, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 5f8f9269bcd52ef630bc563b83059b77, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, fa93aec0018c5e3d1d58b76af159bb82, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 846838327cda19b4415afd5b352c95df, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 17303b1a254abb9ed0795f7d9b51b462, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3decde2a91f52255dd97eaafc2666947, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b98e54d01a094bb6b83eff06a8cf49d6, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b1a886f8904d90ad28fce0dc0dc9df93, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 5800fff782c36df785dad1d0a34ad418, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 6c49738668ca7c054f0708ecc3b626c8, 'SerialPktDoor loader No sample in VT\r\nLast check:12/02/2026'
md5, d9a452c1c06903fafa4dc4625b2c2d9b, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 91017ad856cff5f0cb304ea2a3ae81c9, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, f54bed43b372997f3bafe5c67c799e73, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cd0b810751eb2a1470e44f7f6660d5f4, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 80fb9865209f8d8d1017c8151c79ef74, 'Network scanner No sample in VT\r\nLast check:12/02/2026'
md5, c8c890cf8d61cab805e9ef0a4471579a, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 0f4d06cedc93c7784580a3a7c4ad2fb4, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, c182b3e659a416fe59f3613c08a8cffb, 'InsidiousGh0st go variant No sample in VT\r\nLast check:12/02/2026'
md5, 942086934f4dd65c3e0158c9b8d89933, 'SharpZulip No sample in VT\r\nLast check:12/02/2026'
md5, e3fb4c2d591a440cfe6419f5a9825e84, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 4b68c803db1b4222292adba3b2a1a037, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
hostname, upupdate.ooguy.com, ''
hostname, fc.adswt.com, ''
hostname, mail.simpletra.com, ''
hostname, mail.adswt.com, ''
hostname, api.simpletra.com, ''
hostname, bit.kozow.com, ''
hostname, mail.pcygphil.com, ''
hostname, mail.bomloginset.com, ''
hostname, dns-log.d-n-s.org.uk, ''
hostname, linklab.blinklab.com, ''
hostname, link.theworkguyoo.com, ''
hostname, mail.theworkguyoo.com, ''
hostname, sopho.kozow.com, ''
hostname, news.nevuer.com, ''
hostname, payroll.mywire.org, ''
hostname, employee.mywire.org, ''
hostname, airst.giize.com, ''
hostname, cdn.g8z.net, ''
hostname, manags.twilightparadox.com, ''
hostname, dns.g8z.net, ''
hostname, message.ooguy.com, ''
hostname, spcg.lunaticfridge.com, ''
hostname, helpdesk.fxnxs.com, ''
hostname, newy.hifiliving.com, ''
hostname, images.emldn.com, ''
hostname, word.emldn.com, ''
hostname, provider.giize.com, ''
hostname, rest.redirectme.net, ''
hostname, api.bitdefenderupdate.org, ''
ip-dst, 167.71.199.105, ''
ip-dst, 188.166.224.242, ''
ip-dst, 159.223.78.147, ''
ip-dst, 128.199.166.143, ''
ip-dst, 164.92.146.227, ''
ip-dst, 192.153.57.24, ''
ip-dst, 209.97.167.177, ''
ip-dst, 112.113.112.5, ''
ip-dst, 193.149.129.128, ''
ip-dst, 128.199.66.11, ''
ip-dst, 45.61.137.109, ''
ip-dst, 139.59.107.49, ''
ip-dst, 152.42.198.152, ''
domain, bitdefenderupdate.org, ''
hostname, auth.bitdefenderupdate.com, ''

Full IOCs available in Rectifyq's MISP```