Home / Industry

Following the DNS Trail of APT Group Newbie Unfading Sea Haze

A new advanced persistent threat (APT) group dubbed “Unfading Sea Haze” has been trailing its sights on various organizations based in countries surrounding the South China Sea. As it turns out, the group has been active since at least 2018 and targeted eight known victims, mostly military and government entities, in support of Chinese interests so far.

Bitdefender Labs published a list of indicators of compromise (IoCs) related to this attack. The WhoisXML API research team expanded the list comprising 21 domain names (some of which were extracted from subdomains) and 13 IP addresses and uncovered:

  • 758 email-connected domains, one of which turned out to be malicious
  • 16 additional IP addresses, 11 of which were associated with threats
  • 272 IP-connected domains, 73 of which turned out to be malicious
  • 253 string-connected domains

Note that this post contains only a preview of our findings. The full research, including a sample of the additional artifacts obtained from our analysis are available for download from our website.

More on the Unfading Sea Haze IoCs

We began our in-depth analysis by subjecting the 21 domains identified as IoCs to a bulk WHOIS lookup, which revealed that:

  • The domain IoCs were spread across 11 registrars topped by Dynu Systems, Inc.; Gandi SAS; GoDaddy.com LLC; and Namecheap, Inc., which accounted for three domains each. Domain.com LLC; GKG.net, Inc.; Grupo Loading Systems SL; Network Solutions LLC; Porkbun LLC; TLDS LLC; and Vitalwerks Internet Solutions LLC, meanwhile, accounted for one domain IoC each. Finally, two domain IoCs did not have registrars in their current WHOIS records.
  • Unfading Sea Haze did not discriminate in terms of domain age, using old and new alike. They were created between 2001 and 2024. Specifically, four domain IoCs were created in 2022; two each in 2001, 2003, 2016, and 2023; and one each in 2004, 2006, 2008, 2012, 2015, 2017, and 2024.

  • The U.S. topped the list of registrant countries, accounting for 13 of the domain IoCs. Iceland took the second spot with three domains. One domain IoC was registered in the U.K. Four domains, however, did not have registrant countries in their current WHOIS records.

A bulk IP geolocation lookup for the 13 IP addresses tagged as IoCs showed that:

  • The IP address IoCs originated from five countries led by Singapore and the U.S., which accounted for five IP addresses each. One IP address IoC each was geolocated in China, the Netherlands, and Turkey.
  • DigitalOcean led the pack of ISPs, accounting for eight of the IP address IoCs. One IP address was administered by China Telecom. Finally, four of the IoCs did not have ISPs in their A records.

This post only contains a snapshot of the full research. You can download the complete findings and a sample of the additional artifacts found on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix