Skip to content

G0065 Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company.6 Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.6375

Item Value
ID G0065
Associated Names MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Version 4.1
Created 18 April 2018
Last Modified 03 February 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
MUDCARP 61
Kryptonite Panda 62
Gadolinium 64
BRONZE MOHAWK 610
TEMP.Jumper Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.69
APT40 FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.6379
TEMP.Periscope Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.679
Gingham Typhoon 8

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. 61
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Leviathan has conducted reconnaissance against target networks of interest looking for vulnerable, end-of-life, or no longer maintainted devices against which to rapidly deploy exploits.5
enterprise T1560 Archive Collected Data Leviathan has archived victim’s data prior to exfiltration.6
enterprise T1197 BITS Jobs Leviathan has used BITSAdmin to download additional tools.7
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.37
enterprise T1547.009 Shortcut Modification Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.37
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Leviathan has used PowerShell for execution.3761
enterprise T1059.005 Visual Basic Leviathan has used VBScript.3
enterprise T1586 Compromise Accounts -
enterprise T1586.001 Social Media Accounts Leviathan has compromised social media accounts to conduct social engineering attacks.6
enterprise T1586.002 Email Accounts Leviathan has compromised email accounts to conduct social engineering attacks.6
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Leviathan has used compromised legitimate websites as command and control nodes for operations.5
enterprise T1584.008 Network Devices Leviathan has used compromised networking devices, such as small office/home office (SOHO) devices, as operational command and control infrastructure.5
enterprise T1213 Data from Information Repositories -
enterprise T1213.006 Databases Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.5
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.76
enterprise T1074.002 Remote Data Staging Leviathan has staged data remotely prior to exfiltration.6
enterprise T1140 Deobfuscate/Decode Files or Information Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.3
enterprise T1587 Develop Capabilities -
enterprise T1587.004 Exploits Leviathan has rapidly transformed and adapted public exploit proof-of-concept code for new vulnerabilities and utilized them against target networks.5
enterprise T1482 Domain Trust Discovery Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.5
enterprise T1189 Drive-by Compromise Leviathan has infected victims using watering holes.6
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Leviathan has created new social media accounts for targeting efforts.6
enterprise T1585.002 Email Accounts Leviathan has created new email accounts for targeting efforts.6
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Leviathan has used WMI for persistence.7
enterprise T1041 Exfiltration Over C2 Channel Leviathan has exfiltrated data over its C2 channel.6
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.37
enterprise T1190 Exploit Public-Facing Application Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks.5
enterprise T1203 Exploitation for Client Execution Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.3761
enterprise T1212 Exploitation for Credential Access Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials.5
enterprise T1068 Exploitation for Privilege Escalation Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.5
enterprise T1133 External Remote Services Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.6
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.001 Credentials Leviathan has collected compromised credentials to use for targeting efforts.6
enterprise T1615 Group Policy Discovery Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions.5
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.5
enterprise T1105 Ingress Tool Transfer Leviathan has downloaded additional scripts and files from adversary-controlled servers.37
enterprise T1056 Input Capture Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.5
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. 1
enterprise T1534 Internal Spearphishing Leviathan has conducted internal spearphishing within the victim’s environment for lateral movement.6
enterprise T1111 Multi-Factor Authentication Interception Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions.5
enterprise T1135 Network Share Discovery Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.5
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.3
enterprise T1027.003 Steganography Leviathan has used steganography to hide stolen data inside other files stored on Github.6
enterprise T1027.013 Encrypted/Encoded File Leviathan has obfuscated code using base64.3
enterprise T1027.015 Compression Leviathan has obfuscated code using gzip compression.3
enterprise T1588 Obtain Capabilities -
enterprise T1588.006 Vulnerabilities Leviathan weaponized publicly-known vulnerabilities for initial access and other purposes during Leviathan Australian Intrusions.5
enterprise T1003 OS Credential Dumping Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.9
enterprise T1003.001 LSASS Memory Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.9
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.36
enterprise T1566.002 Spearphishing Link Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.36
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.1
enterprise T1572 Protocol Tunneling Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.6
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.6
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Leviathan has targeted RDP credentials and used it to move through the victim environment.9
enterprise T1021.002 SMB/Windows Admin Shares Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.5
enterprise T1021.004 SSH Leviathan used ssh for internal reconnaissance.9
enterprise T1018 Remote System Discovery Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions.5
enterprise T1594 Search Victim-Owned Websites Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.5
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Leviathan relies on web shells for an initial foothold as well as persistence into the victim’s systems.965
enterprise T1528 Steal Application Access Token Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions.5
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Leviathan used Kerberoasting techniques during Leviathan Australian Intrusions.5
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Leviathan has used stolen code signing certificates to sign malware.79
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Leviathan has used regsvr32 for execution.3
enterprise T1082 System Information Discovery Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.5
enterprise T1552 Unsecured Credentials Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.5
enterprise T1552.001 Credentials In Files Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.5
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Leviathan has sent spearphishing email links attempting to get a user to click.36
enterprise T1204.002 Malicious File Leviathan has sent spearphishing attachments attempting to get a user to click.36
enterprise T1078 Valid Accounts Leviathan has obtained valid accounts to gain initial access.615
enterprise T1078.002 Domain Accounts Leviathan compromised domain credentials during Leviathan Australian Intrusions.5
enterprise T1078.003 Local Accounts Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.5
enterprise T1102 Web Service -
enterprise T1102.003 One-Way Communication Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.7
enterprise T1047 Windows Management Instrumentation Leviathan has used WMI for execution.3

Software

ID Name References Techniques
S0110 at 9 At:Scheduled Task/Job
S0642 BADFLICK 71 Archive via Library:Archive Collected Data Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Spearphishing Attachment:Phishing System Information Discovery System Network Configuration Discovery Malicious File:User Execution Time Based Checks:Virtualization/Sandbox Evasion
S0190 BITSAdmin 7 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0069 BLACKCOFFEE 7 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Multi-Stage Channels Process Discovery Dead Drop Resolver:Web Service Bidirectional Communication:Web Service
S0020 China Chopper 761 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0154 Cobalt Strike 376 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0021 Derusbi 76 Audio Capture Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0363 Empire 6 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0032 gh0st RAT 6 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0232 HOMEFRY 7 Windows Command Shell:Command and Scripting Interpreter Encrypted/Encoded File:Obfuscated Files or Information OS Credential Dumping
S0233 MURKYTOP 76 Local Account:Account Discovery Windows Command Shell:Command and Scripting Interpreter File Deletion:Indicator Removal Network Service Discovery Network Share Discovery Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Information Discovery
S0228 NanHaiShu 36 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Encrypted/Encoded File:Obfuscated Files or Information Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0039 Net 9 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0229 Orz 361 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Indicator Removal Ingress Tool Transfer Modify Registry Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Bidirectional Communication:Web Service
S0194 PowerSploit 6 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0183 Tor 6 Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy
S0005 Windows Credential Editor 9 LSASS Memory:OS Credential Dumping

References

  1. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  2. Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021. 

  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  4. Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021. 

  5. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025. 

  6. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  7. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  8. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  9. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. 

  10. SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.