Cisco’s Talos threat intelligence team has highlighted an ongoing cyber espionage campaign orchestrated by a newly discovered threat actor, dubbed “SneakyChef,” utilizing the SugarGh0st malware. The campaign, first detected as early as August 2023, has expanded its reach beyond its initial targets of South Korea and Uzbekistan to now include a broader array of countries across Europe, the Middle East, Africa (EMEA), and Asia.

As the initial vector for the malware's infection chains, the SneakyChef group employs sophisticated lures in the form of scanned documents purportedly from government agencies, predominantly from ministries of foreign affairs or embassies.

Cisco Talos had previously disclosed two primary infection chains in November, but recent analyses have uncovered an additional infection chain leveraging self-extracting (SFX) RAR files to deliver the SugarGh0st malware.

The language and methods used in these SFX samples suggest that the threat actors are Chinese-speaking. This assertion is supported by the group’s use of variants of the Gh0st RAT, a notorious malware often associated with Chinese-speaking cybercriminals, and the specific choice of targets, which includes several foreign ministries and government entities.

In August 2023, Talos first observed the deployment of SugarGh0st targeting users in Uzbekistan and South Korea. As the campaign evolved, the targets expanded.

Based on the contents of the decoy documents, the researchers believe that potential targets include Angola’s ministry of foreign affairs, ministry of fisheries and marine resources, and ministry of agriculture and forestry, ministries of foreign affairs of Turkmenistan, Kazakhstan, India, and Latvia, as well as embassy of the Kingdom of Saudi Arabia in Abu Dhabi.

Besides the attack chains using Windows Shortcut (LNK) files within RAR archives, the new wave of attacks has incorporated an SFX RAR archive as an initial infection vector. This method launches a Visual Basic Script (VBS) that executes the malware via a loader while simultaneously displaying a decoy document.

Additionally, Talos uncovered another Remote Access Trojan (RAT) named “SpiceRAT” being used in the campaigns. SpiceRAT employs two distinct infection chains, one of which uses an LNK file within a RAR archive to deploy the malware through DLL side-loading techniques.

Separately, Proofpoint researchers reported a SugarGh0st campaign targeting a US organization involved in artificial intelligence across academia, the private technology sector, and government services.