Skip to content

S0228 NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. 1 2

Item Value
ID S0228
Associated Names
Version 1.1
Created 18 April 2018
Last Modified 23 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS NanHaiShu uses DNS for the C2 communications.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic NanHaiShu executes additional VBScript code on the victim’s machine.2
enterprise T1059.007 JavaScript NanHaiShu executes additional Jscript code on the victim’s machine.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion NanHaiShu launches a script to delete their original decoy file to cover tracks.2
enterprise T1105 Ingress Tool Transfer NanHaiShu can download additional files from URLs.1
enterprise T1027 Obfuscated Files or Information NanHaiShu encodes files in Base64.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta NanHaiShu uses mshta.exe to load its program and files.2
enterprise T1082 System Information Discovery NanHaiShu can gather the victim computer name and serial number.1
enterprise T1016 System Network Configuration Discovery NanHaiShu can gather information about the victim proxy server.1
enterprise T1033 System Owner/User Discovery NanHaiShu collects the username from the victim.2

Groups That Use This Software

ID Name References
G0065 Leviathan 13