|
A new advanced persistent threat (APT) group dubbed “Unfading Sea Haze” has been trailing its sights on various organizations based in countries surrounding the South China Sea. As it turns out, the group has been active since at least 2018 and targeted eight known victims, mostly military and government entities, in support of Chinese interests so far.
Bitdefender Labs published a list of indicators of compromise (IoCs) related to this attack. The WhoisXML API research team expanded the list comprising 21 domain names (some of which were extracted from subdomains) and 13 IP addresses and uncovered:
Note that this post contains only a preview of our findings. The full research, including a sample of the additional artifacts obtained from our analysis are available for download from our website.
We began our in-depth analysis by subjecting the 21 domains identified as IoCs to a bulk WHOIS lookup, which revealed that:
Unfading Sea Haze did not discriminate in terms of domain age, using old and new alike. They were created between 2001 and 2024. Specifically, four domain IoCs were created in 2022; two each in 2001, 2003, 2016, and 2023; and one each in 2004, 2006, 2008, 2012, 2015, 2017, and 2024.
The U.S. topped the list of registrant countries, accounting for 13 of the domain IoCs. Iceland took the second spot with three domains. One domain IoC was registered in the U.K. Four domains, however, did not have registrant countries in their current WHOIS records.
A bulk IP geolocation lookup for the 13 IP addresses tagged as IoCs showed that:
DigitalOcean led the pack of ISPs, accounting for eight of the IP address IoCs. One IP address was administered by China Telecom. Finally, four of the IoCs did not have ISPs in their A records.
This post only contains a snapshot of the full research. You can download the complete findings and a sample of the additional artifacts found on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign