2024-05-22 Deep Dive Into Unfading Sea Haze A New Threat Actor in the South China Sea

📃Title: Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea
📅Date: 2024-05-22
🔗References:

• https://www.bitdefender.com/en-us/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• topic: geopolitical
• target: broad-based
• MY-relevancy: relevant
• action-taken: diamond-model

🔖MISP Galaxies:

• producer= Bitdefender
• threat-actor= Unfading-Sea-Haze
• country=“china”
• target-information=“Brunei”
• target-information=“Indonesia”
• target-information=“Malaysia”
• target-information=“Philippines”
• target-information=“Taiwan”
• target-information=“Vietnam”
• malpedia=“Ghost RAT”
• malpedia=“SilentGh0st”
• mitre-attack-pattern=[‘T1059.001’, ‘T1566’, ‘T1053.005’, ‘T1053’, ‘T1036’, ‘T1574.002’, ‘T1112’, ‘T1100’, ‘T1056.001’]

MISP event uuid: cb8ca269-00c8-4df9-903d-3aeb20d0573a

Indicator of Compromise (IoCs)

type,value,comment
md5, 1ce17f0e2a000a889b3f81e80b95f19f, 'DustyExfilTool'
md5, 6a0933d08d8d27165f72c53df8f1bf04, 'DustyExfilTool'
md5, 1dbcd8d2f5718fa7654f8b5f34b88d43, 'Loader that uses xyz123xyz\xa0for AES decryption'
md5, 2e4055e16c1a9274caa182223977eda1, 'SilentGh0st'
md5, 1e55bda0b7eb0aea78577a21f51e8f5c, 'Ps2dllLoader'
md5, b3dc2dcb0f2a5661aed1f4e6d9e88bc6, 'Ps2dllLoader'
md5, 4d99127e4b1d27a56f7c4b198739176b, '.Net loader used by Ps2dllLoader'
md5, 5bd1eb1166da401c470af2b9e204b2d1, '.Net loader used by Ps2dllLoader'
md5, 70773eb54234c486c46048ade57db45b, 'Stubbedoor'
md5, 124bdaaa70da4daeacbc0513b6c0558e, 'Enriched via the csvimport module'
md5, cb95ad8fad82eac1c553cd2d7470100b, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 19dbf2d82f6f95a73f1529636e775295, 'SilentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, e7433f8a0943a6025d43473990ec8068, 'TranslucentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, ac7b8524098cbb423619706ff617b6a6, 'Network Scanner No sample in VT\r\nLast check:12/02/2026'
md5, 95701a74b6b3de68fc375cd08ae8d2c2, 'SilentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 7e10d7dd09f5ee2010990701db042f11, 'WPD USB monitor tool No sample in VT\r\nLast check:12/02/2026'
md5, a5af41fda8ef570fda96c64a932d4247, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 5421e3cef32e534fa74a26df1c753700, 'SharpJSHandler, OneDrive variant No sample in VT\r\nLast check:12/02/2026'
md5, 2c45c1c35c703bb923b558343f00ea34, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 69310040e872806cb2b00d3addb321a7, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 35623ba9f8fcbcf0fce96aa2465b0b66, 'SharpJSHandler No sample in VT\r\nLast check:12/02/2026'
md5, 828faccaaf8e70be1c32ae5588d3df12, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 4ec62fdd3d02bc9b81a8c78910b8463a, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, cff31de1b28f6b00d13d15c2be08a982, 'SharpJSHandler DropBox variant No sample in VT\r\nLast check:12/02/2026'
md5, 7ff8a134c1ee44c915339a74e4a2d3ca, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 0dd4603f7c3a80a2408e458fe58b2e60, 'InsidiousGh0st .NET variant No sample in VT\r\nLast check:12/02/2026'
md5, 11c7f264184ed52df4a3836a623845c8, 'TranslucentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 55a246ace9630b31c43964ebd551e5e2, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 8c31532f73671995d7f3b6d5814ba726, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 5268206fb6c96f614f67cd5d686f42af, 'TranslucentGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cf2f7331a04bb9cd47b58a5c80d4c242, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3d87f0bd243cff931bb463fce1d115e3, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 98de3eeda1adefec31d3e3f00079dd2d, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b04d9dba3bc922a33c1408d4fbf80678, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 35a307b73849a3d7a7cd603a0c4698f2, 'SerialPktdoor loader No sample in VT\r\nLast check:12/02/2026'
md5, 3d879bc2fb28c5abbcd6e08b6e5dc762, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 7aba74bfbf5cb068fb52e8813c40f4cd, 'Xkeylog keylogger No sample in VT\r\nLast check:12/02/2026'
md5, 510c36c9061778d166e23177a191df35, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b6cd3d88a6d6886718b6113147a99901, 'Malicious C# script No sample in VT\r\nLast check:12/02/2026'
md5, 1179f589791c2eaa1ae33f38e62753d0, 'Malicious C# script No sample in VT\r\nLast check:12/02/2026'
md5, 0b744f9d38e125cd4fe14289272ac0e2, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 960a964cab127c4f3c726612fdeaeb08, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 1d2185c956a75a8628e310a38dea4001, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 7169179cc18e6aa6c2c36e4bee59f63d, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cf398f9780de020919daad9ca4a27455, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 96a43d13fd11464e9898af98cc5bb24b, 'Xkeylog keylogger No sample in VT\r\nLast check:12/02/2026'
md5, 14a88779c7e03ecfc19dd18221e25105, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 2bf96bd44942ca8beed04623a1e19e24, 'Hid.dll loader No sample in VT\r\nLast check:12/02/2026'
md5, fabdf1094b49673bc0f015cbb986bad5, 'Hid.dll loader No sample in VT\r\nLast check:12/02/2026'
md5, 00bcbeb6ffdadc50a931212eff424e19, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, e5fc13c39dd81e6de11d1c211f4413ba, 'Xkeylog keylogger No sample in VT\r\nLast check:12/02/2026'
md5, 9425f9f7cc393c492deb267c12d031c5, 'Hid Dropper No sample in VT\r\nLast check:12/02/2026'
md5, 551bda0f19bf2705f5f7bd52dcbc021f, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 654163ab9002bd06f68a9f41123b1cd4, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, fda22f52f0d3a81f095a00810a3dd70a, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cf5f2e3e1ce82e75a2d0885af5efa1ef, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3631001b60bdf712e6294d40ec777d87, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 4e470ea6d7d7da6dd4147c8e948df7c8, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 73daf06fed93d542af04d59a4545fab0, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 100c461d79471c96eba20c8eae35c5ba, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 40466fd795360ac4270751d8c4500c39, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cb9e6fa194b8fa2ef5b6b19e0bd6873e, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, af215f4670ae190e699c27e5205aadee, 'Eventlog info extractor No sample in VT\r\nLast check:12/02/2026'
md5, 39d43f21b3c2b9f94165f5257b229fb4, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3dc8d8a70cc60a2376ce5c555d242cf3, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 6f01bed0b875069ec5b9650e6d8c416f, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 5f8f9269bcd52ef630bc563b83059b77, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, fa93aec0018c5e3d1d58b76af159bb82, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 846838327cda19b4415afd5b352c95df, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 17303b1a254abb9ed0795f7d9b51b462, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 3decde2a91f52255dd97eaafc2666947, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b98e54d01a094bb6b83eff06a8cf49d6, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, b1a886f8904d90ad28fce0dc0dc9df93, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 5800fff782c36df785dad1d0a34ad418, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 6c49738668ca7c054f0708ecc3b626c8, 'SerialPktDoor loader No sample in VT\r\nLast check:12/02/2026'
md5, d9a452c1c06903fafa4dc4625b2c2d9b, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 91017ad856cff5f0cb304ea2a3ae81c9, 'FluffyGh0st No sample in VT\r\nLast check:12/02/2026'
md5, f54bed43b372997f3bafe5c67c799e73, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, cd0b810751eb2a1470e44f7f6660d5f4, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 80fb9865209f8d8d1017c8151c79ef74, 'Network scanner No sample in VT\r\nLast check:12/02/2026'
md5, c8c890cf8d61cab805e9ef0a4471579a, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
md5, 0f4d06cedc93c7784580a3a7c4ad2fb4, 'InsidiousGh0st No sample in VT\r\nLast check:12/02/2026'
md5, c182b3e659a416fe59f3613c08a8cffb, 'InsidiousGh0st go variant No sample in VT\r\nLast check:12/02/2026'
md5, 942086934f4dd65c3e0158c9b8d89933, 'SharpZulip No sample in VT\r\nLast check:12/02/2026'
md5, e3fb4c2d591a440cfe6419f5a9825e84, 'Ps2dllLoader No sample in VT\r\nLast check:12/02/2026'
md5, 4b68c803db1b4222292adba3b2a1a037, 'EtherealGh0st No sample in VT\r\nLast check:12/02/2026'
hostname, upupdate.ooguy.com, ''
hostname, fc.adswt.com, ''
hostname, mail.simpletra.com, ''
hostname, mail.adswt.com, ''
hostname, api.simpletra.com, ''
hostname, bit.kozow.com, ''
hostname, mail.pcygphil.com, ''
hostname, mail.bomloginset.com, ''
hostname, dns-log.d-n-s.org.uk, ''
hostname, linklab.blinklab.com, ''
hostname, link.theworkguyoo.com, ''
hostname, mail.theworkguyoo.com, ''
hostname, sopho.kozow.com, ''
hostname, news.nevuer.com, ''
hostname, payroll.mywire.org, ''
hostname, employee.mywire.org, ''
hostname, airst.giize.com, ''
hostname, cdn.g8z.net, ''
hostname, manags.twilightparadox.com, ''
hostname, dns.g8z.net, ''
hostname, message.ooguy.com, ''
hostname, spcg.lunaticfridge.com, ''
hostname, helpdesk.fxnxs.com, ''
hostname, newy.hifiliving.com, ''
hostname, images.emldn.com, ''
hostname, word.emldn.com, ''
hostname, provider.giize.com, ''
hostname, rest.redirectme.net, ''
hostname, api.bitdefenderupdate.org, ''
ip-dst, 167.71.199.105, ''
ip-dst, 188.166.224.242, ''
ip-dst, 159.223.78.147, ''
ip-dst, 128.199.166.143, ''
ip-dst, 164.92.146.227, ''
ip-dst, 192.153.57.24, ''
ip-dst, 209.97.167.177, ''
ip-dst, 112.113.112.5, ''
ip-dst, 193.149.129.128, ''
ip-dst, 128.199.66.11, ''
ip-dst, 45.61.137.109, ''
ip-dst, 139.59.107.49, ''
ip-dst, 152.42.198.152, ''
domain, bitdefenderupdate.org, ''
hostname, auth.bitdefenderupdate.com, ''

Full IOCs available in Rectifyq’s MISP