{ "type": "Domain", "indicator": "bitdefenderupdate.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bitdefenderupdate.org", "alexa": "http://www.alexa.com/siteinfo/bitdefenderupdate.org", "indicator": "bitdefenderupdate.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3892213526, "indicator": "bitdefenderupdate.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "66504dff129ce00f1deb99cc", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolving tactics, malware arsenal, and ongoing persistence. The primary objective appears to be espionage, with a focus on data exfiltration and surveillance of military and government entities. Unfading Sea Haze employs a sophisticated array of custom malware tools, including variants of the Gh0st RAT family and techniques like DLL sideloading. Their recent shift towards modular, fileless payloads showcases their adaptability in evading detection.", "modified": "2024-06-23T08:02:27.495000", "created": "2024-05-24T08:21:19.199000", "tags": [ "Unfading Sea Haze", "apt", "espionage", "SilentGh0st", "TranslucentGh0st", "SharpJSHandler" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null } ], "attack_ids": [ { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 397, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 29 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 386882, "modified_text": "709 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664f3945e3b3947603a86128", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "In a recent investigation by Bitdefender Labs, a series of cyberattacks targeting high-level organizations in South China Sea countries revealed a previously unknown threat actor. We've designated this group \"Unfading Sea Haze\" based on their persistence and focus on the region. The targets and nature of the attacks suggest alignment with Chinese interests.", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-23T12:40:37.874000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 354, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 386882, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66540eb90d1eb9a937c3f714", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-27T04:40:25.970000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "664f3945e3b3947603a86128", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654371c5f1260f3e0954cd7", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-27T07:32:44.988000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "664f3945e3b3947603a86128", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6656c5d148818cbdd02136d7", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-29T06:06:09.983000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "6654371c5f1260f3e0954cd7", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664f2ffd00615a251a66adf0", "name": "Researchers Warn of targeting high-level organizations", "description": "", "modified": "2024-06-22T11:05:52.451000", "created": "2024-05-23T12:01:01.848000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 83, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 30 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664f1fe2999877dd43df7c4d", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "", "modified": "2024-06-22T10:04:15.743000", "created": "2024-05-23T10:52:18.220000", "tags": [ "user", "etherealgh0st", "ps2dllloader", "unfading sea", "insidiousgh0st", "sea haze", "msbuild", "sharpjshandler", "fluffygh0st", "gh0st rat", "haze", "powershell", "service", "beyond", "gh0st", "keylogger", "stealer", "explorer", "monitoring", "loader" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 85, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 4, "domain": 1, "hostname": 30 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664e22e4c455a7d6d286e16c", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "A previously unknown threat actor dubbed \"Unfading Sea Haze\" has been targeting military and government entities in the South China Sea region since 2018, remaining undetected all this time.\n\nBitdefender researchers who discovered the threat group report that its operations align with Chinese geo-political interests, focusing on intelligence collection and espionage.\n\nAs is typical for Chinese state-sponsored threat actors, \"Unfading Sea Haze\" demonstrates operational, TTP, and toolset overlaps with other activity clusters, most notably, APT41.", "modified": "2024-06-21T16:02:59.092000", "created": "2024-05-22T16:52:52.595000", "tags": [ "user", "etherealgh0st", "ps2dllloader", "unfading sea", "insidiousgh0st", "sea haze", "msbuild", "sharpjshandler", "fluffygh0st", "gh0st rat", "haze", "powershell", "service", "beyond", "gh0st", "keylogger", "stealer", "explorer", "monitoring", "loader" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 85, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 4, "domain": 1, "hostname": 30 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 512, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "related": { "alienvault": { "adversary": [ "Unfading Sea Haze" ], "malware_families": [ "Insidiousgh0st", "Fluffygh0st", "Gh0st rat", "Translucentgh0st", "Stubbedoor", "Sharpjshandler", "Serialpktdoor", "Silentgh0st", "Etherealgh0st", "Xkeylog keylogger", "Sharpzulip", "Gh0st army" ], "industries": [] }, "other": { "adversary": [ "Unfading Sea Haze" ], "malware_families": [ "Insidiousgh0st", "Fluffygh0st", "Gh0st rat", "Translucentgh0st", "Stubbedoor", "Sharpjshandler", "Serialpktdoor", "Silentgh0st", "Etherealgh0st", "Xkeylog keylogger", "Sharpzulip", "Gh0st army" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "66504dff129ce00f1deb99cc", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolving tactics, malware arsenal, and ongoing persistence. The primary objective appears to be espionage, with a focus on data exfiltration and surveillance of military and government entities. Unfading Sea Haze employs a sophisticated array of custom malware tools, including variants of the Gh0st RAT family and techniques like DLL sideloading. Their recent shift towards modular, fileless payloads showcases their adaptability in evading detection.", "modified": "2024-06-23T08:02:27.495000", "created": "2024-05-24T08:21:19.199000", "tags": [ "Unfading Sea Haze", "apt", "espionage", "SilentGh0st", "TranslucentGh0st", "SharpJSHandler" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null } ], "attack_ids": [ { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 397, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 29 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 386882, "modified_text": "709 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664f3945e3b3947603a86128", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "In a recent investigation by Bitdefender Labs, a series of cyberattacks targeting high-level organizations in South China Sea countries revealed a previously unknown threat actor. We've designated this group \"Unfading Sea Haze\" based on their persistence and focus on the region. The targets and nature of the attacks suggest alignment with Chinese interests.", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-23T12:40:37.874000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 354, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 386882, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66540eb90d1eb9a937c3f714", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-27T04:40:25.970000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "664f3945e3b3947603a86128", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654371c5f1260f3e0954cd7", "name": "Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea", "description": "", "modified": "2024-06-22T12:00:51.743000", "created": "2024-05-27T07:32:44.988000", "tags": [ "malware", "DustyExfilTool", ".NET" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/" ], "public": 1, "adversary": "Unfading Sea Haze", "targeted_countries": [], "malware_families": [ { "id": "SharpJSHandler", "display_name": "SharpJSHandler", "target": null }, { "id": "TranslucentGh0st", "display_name": "TranslucentGh0st", "target": null }, { "id": "SerialPktdoor", "display_name": "SerialPktdoor", "target": null }, { "id": "Gh0st Army", "display_name": "Gh0st Army", "target": null }, { "id": "SilentGh0st", "display_name": "SilentGh0st", "target": null }, { "id": "EtherealGh0st", "display_name": "EtherealGh0st", "target": null }, { "id": "xkeylog Keylogger", "display_name": "xkeylog Keylogger", "target": null }, { "id": "SharpZulip", "display_name": "SharpZulip", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "InsidiousGh0st", "display_name": "InsidiousGh0st", "target": null }, { "id": "FluffyGh0st", "display_name": "FluffyGh0st", "target": null }, { "id": "Stubbedoor", "display_name": "Stubbedoor", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "664f3945e3b3947603a86128", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 29, "FileHash-MD5": 84 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "710 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bitdefenderupdate.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bitdefenderupdate.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780406601.2227619 }