A previously unidentified Chinese-speaking threat actor known as SneakyChef has been implicated in an espionage campaign targeting government organizations across Asia and EMEA (Europe, Middle East, and Africa) using SugarGh0st malware since at least August 2023.

According to analysis published by Cisco Talos researchers Chetan Raghuprasad and Ashley Shen, SneakyChef employs bait in the form of scanned documents from government agencies, primarily related to Ministries of Foreign Affairs and embassies of various countries.

The cybersecurity company first brought attention to activities linked to this hacking group in late November 2023, initially identifying attacks targeting South Korea and Uzbekistan using a customized version of Gh0st RAT named SugarGh0st.

A subsequent analysis from Proofpoint revealed the use of SugarGh0st RAT against U.S. entities involved in artificial intelligence, spanning academia, private industry, and government sectors. This cluster is monitored under the name UNK_SweetSpecter.

Notably, SneakyChef corresponds to the campaign named Operation Diplomatic Specter by Palo Alto Networks Unit 42. According to the security firm, this campaign has been active since at least late 2022, targeting government entities in the Middle East, Africa, and Asia.

Talos has observed that the same malware is now apparently targeting various government entities in Angola, India, Latvia, Saudi Arabia, and Turkmenistan, based on the types of lure documents used in spear-phishing campaigns, indicating an expansion in the geographical scope of the campaign.