Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

ID: G0065
Associated Groups: MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 4.1
Created: 18 April 2018
Last Modified: 03 February 2025

Associated Group Descriptions

Name Description
MUDCARP

[1][5]

Kryptonite Panda

[1][6]

Gadolinium

[1][7]

BRONZE MOHAWK

[1][8]

TEMP.Jumper

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][9]

APT40

FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[1][2][3][9]

TEMP.Periscope

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][3][9]

Gingham Typhoon

[10]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [1][5]

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Leviathan has conducted reconnaissance against target networks of interest looking for vulnerable, end-of-life, or no longer maintainted devices against which to rapidly deploy exploits.[4]

Enterprise T1560 Archive Collected Data

Leviathan has archived victim's data prior to exfiltration.[1]

Enterprise T1197 BITS Jobs

Leviathan has used BITSAdmin to download additional tools.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Leviathan has used PowerShell for execution.[2][3][1][5]

.005 Command and Scripting Interpreter: Visual Basic

Leviathan has used VBScript.[2]

Enterprise T1586 .001 Compromise Accounts: Social Media Accounts

Leviathan has compromised social media accounts to conduct social engineering attacks.[1]

.002 Compromise Accounts: Email Accounts

Leviathan has compromised email accounts to conduct social engineering attacks.[1]

Enterprise T1584 .004 Compromise Infrastructure: Server

Leviathan has used compromised legitimate websites as command and control nodes for operations.[4]

.008 Compromise Infrastructure: Network Devices

Leviathan has used compromised networking devices, such as small office/home office (SOHO) devices, as operational command and control infrastructure.[4]

Enterprise T1213 Data from Information Repositories

Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.[4]

Enterprise T1074 .001 Data Staged: Local Data Staging

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[3][1]

Leviathan stored captured credential material on local log files on victim systems during Leviathan Australian Intrusions.[4]

.002 Data Staged: Remote Data Staging

Leviathan has staged data remotely prior to exfiltration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[2]

Enterprise T1587 .004 Develop Capabilities: Exploits

Leviathan has rapidly transformed and adapted public exploit proof-of-concept code for new vulnerabilities and utilized them against target networks.[4]

Enterprise T1482 Domain Trust Discovery

Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[4]

Enterprise T1189 Drive-by Compromise

Leviathan has infected victims using watering holes.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Leviathan has created new social media accounts for targeting efforts.[1]

.002 Establish Accounts: Email Accounts

Leviathan has created new email accounts for targeting efforts.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Leviathan has used WMI for persistence.[3]

Enterprise T1041 Exfiltration Over C2 Channel

Leviathan has exfiltrated data over its C2 channel.[1]

Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions.[4]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[2][3]

Enterprise T1190 Exploit Public-Facing Application

Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks.[4]

Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions.[4]

Enterprise T1203 Exploitation for Client Execution

Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[2][3][1][5]

Enterprise T1212 Exploitation for Credential Access

Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials.[4]

Enterprise T1068 Exploitation for Privilege Escalation

Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.[4]

Enterprise T1133 External Remote Services

Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[1]

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Leviathan has collected compromised credentials to use for targeting efforts.[1]

Enterprise T1615 Group Policy Discovery

Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[4]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.[4]

Enterprise T1105 Ingress Tool Transfer

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[2][3]

Enterprise T1056 Input Capture

Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.[4]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. [5]

Enterprise T1534 Internal Spearphishing

Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[1]

Enterprise T1111 Multi-Factor Authentication Interception

Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions.[4]

Enterprise T1135 Network Share Discovery

Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.[4]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[2]

.003 Obfuscated Files or Information: Steganography

Leviathan has used steganography to hide stolen data inside other files stored on Github.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Leviathan has obfuscated code using base64.[2]

.015 Obfuscated Files or Information: Compression

Leviathan has obfuscated code using gzip compression.[2]

Enterprise T1588 .006 Obtain Capabilities: Vulnerabilities

Leviathan weaponized publicly-known vulnerabilities for initial access and other purposes during Leviathan Australian Intrusions.[4]

Enterprise T1003 OS Credential Dumping

Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[9]

.001 LSASS Memory

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[9]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[2][1]

.002 Phishing: Spearphishing Link

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[2][1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[5]

Enterprise T1572 Protocol Tunneling

Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Leviathan has targeted RDP credentials and used it to move through the victim environment.[9]

.002 Remote Services: SMB/Windows Admin Shares

Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.[4]

.004 Remote Services: SSH

Leviathan used ssh for internal reconnaissance.[9]

Leviathan used SSH brute force techniques to move laterally within victim environments during Leviathan Australian Intrusions.[4]

Enterprise T1018 Remote System Discovery

Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions.[4]

Enterprise T1594 Search Victim-Owned Websites

Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.[4]

Enterprise T1505 .003 Server Software Component: Web Shell

Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.[9][1][4]

Leviathan relied extensively on web shell use following initial access for persistence and command execution purposes in victim environments during Leviathan Australian Intrusions.[4]

Enterprise T1528 Steal Application Access Token

Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions.[4]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Leviathan used Kerberoasting techniques during Leviathan Australian Intrusions.[4]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Leviathan has used stolen code signing certificates to sign malware.[3][9]

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Leviathan has used regsvr32 for execution.[2]

Enterprise T1082 System Information Discovery

Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.[4]

Enterprise T1552 Unsecured Credentials

Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.[4]

.001 Credentials In Files

Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.[4]

Enterprise T1204 .001 User Execution: Malicious Link

Leviathan has sent spearphishing email links attempting to get a user to click.[2][1]

.002 User Execution: Malicious File

Leviathan has sent spearphishing attachments attempting to get a user to click.[2][1]

Enterprise T1078 Valid Accounts

Leviathan has obtained valid accounts to gain initial access.[1][5][4]

Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions.[4]

.002 Domain Accounts

Leviathan compromised domain credentials during Leviathan Australian Intrusions.[4]

.003 Local Accounts

Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.[4]

Enterprise T1102 .003 Web Service: One-Way Communication

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[3]

Enterprise T1047 Windows Management Instrumentation

Leviathan has used WMI for execution.[2]

Software

ID Name References Techniques
S0110 at [9] Scheduled Task/Job: At
S0642 BADFLICK [3][5] Archive Collected Data: Archive via Library, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion
S0190 BITSAdmin [3] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [3] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0020 China Chopper [3][1][5] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [2][3][1] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0021 Derusbi [3][1] Audio Capture, Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0232 HOMEFRY [3] Command and Scripting Interpreter: Windows Command Shell, Obfuscated Files or Information: Encrypted/Encoded File, OS Credential Dumping
S0233 MURKYTOP [3][1] Account Discovery: Local Account, Command and Scripting Interpreter: Windows Command Shell, Indicator Removal: File Deletion, Network Service Discovery, Network Share Discovery, Permission Groups Discovery, Remote System Discovery, Scheduled Task/Job: At, System Information Discovery
S0228 NanHaiShu [2][1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [9] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0229 Orz [2][1][5] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0183 Tor [1] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0005 Windows Credential Editor [9] OS Credential Dumping: LSASS Memory

References