1. Home
  2. Groups
  3. Leviathan

Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

ID: G0065
Associated Groups: MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 4.1
Created: 18 April 2018
Last Modified: 03 February 2025
Version Permalink

Associated Group Descriptions

Name Description
MUDCARP

[1][5]
Kryptonite Panda

[1][6]
Gadolinium

[1][7]
BRONZE MOHAWK

[1][8]
TEMP.Jumper

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][9]
APT40

FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[1][2][3][9]
TEMP.Periscope

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][3][9]
Gingham Typhoon

[10]

Campaigns

ID Name First Seen Last Seen References Techniques
C0049 Leviathan Australian Intrusions April 2022 [4] September 2022 [4]

Leviathan Australian Intrusions was conducted by the Leviathan threat actor.[4]

 Data from Information Repositories, Data Staged: Local Data Staging, Domain Trust Discovery, Exfiltration Over C2 Channel, Exploit Public-Facing Application, Exploitation for Credential Access, Exploitation for Privilege Escalation, Group Policy Discovery, Impair Defenses: Disable or Modify System Firewall, Input Capture, Multi-Factor Authentication Interception, Network Share Discovery, Obtain Capabilities: Vulnerabilities, Remote Services: SMB/Windows Admin Shares, Remote Services: SSH, Remote System Discovery, Search Victim-Owned Websites, Server Software Component: Web Shell, Steal Application Access Token, Steal or Forge Kerberos Tickets: Kerberoasting, System Information Discovery, Unsecured Credentials, Unsecured Credentials: Credentials In Files, Valid Accounts: Domain Accounts, Valid Accounts, Valid Accounts: Local Accounts
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [1][5]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Leviathan has conducted reconnaissance against target networks of interest looking for vulnerable, end-of-life, or no longer maintainted devices against which to rapidly deploy exploits.[4]
Enterprise T1560 Archive Collected Data

Leviathan has archived victim's data prior to exfiltration.[1]
Enterprise T1197 BITS Jobs

Leviathan has used BITSAdmin to download additional tools.[3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]
.009 Boot or Logon Autostart Execution: Shortcut Modification

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Leviathan has used PowerShell for execution.[2][3][1][5]
.005 Command and Scripting Interpreter: Visual Basic

Leviathan has used VBScript.[2]
Enterprise T1586 .001 Compromise Accounts: Social Media Accounts

Leviathan has compromised social media accounts to conduct social engineering attacks.[1]
.002 Compromise Accounts: Email Accounts

Leviathan has compromised email accounts to conduct social engineering attacks.[1]
Enterprise T1584 .004 Compromise Infrastructure: Server

Leviathan has used compromised legitimate websites as command and control nodes for operations.[4]
.008 Compromise Infrastructure: Network Devices

Leviathan has used compromised networking devices, such as small office/home office (SOHO) devices, as operational command and control infrastructure.[4]
Enterprise T1213 Data from Information Repositories

Leviathan gathered information from SQL servers and Building Management System (BMS) servers during Leviathan Australian Intrusions.[4]
Enterprise T1074 .001 Data Staged: Local Data Staging

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[3][1]

Leviathan stored captured credential material on local log files on victim systems during Leviathan Australian Intrusions.[4]
.002 Data Staged: Remote Data Staging

Leviathan has staged data remotely prior to exfiltration.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[2]
Enterprise T1587 .004 Develop Capabilities: Exploits

Leviathan has rapidly transformed and adapted public exploit proof-of-concept code for new vulnerabilities and utilized them against target networks.[4]
Enterprise T1482 Domain Trust Discovery

Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[4]
Enterprise T1189 Drive-by Compromise

Leviathan has infected victims using watering holes.[1]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Leviathan has created new social media accounts for targeting efforts.[1]
.002 Establish Accounts: Email Accounts

Leviathan has created new email accounts for targeting efforts.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Leviathan has used WMI for persistence.[3]
Enterprise T1041 Exfiltration Over C2 Channel

Leviathan has exfiltrated data over its C2 channel.[1]

Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions.[4]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[2][3]
Enterprise T1190 Exploit Public-Facing Application

Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks.[4]

Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions.[4]
Enterprise T1203 Exploitation for Client Execution

Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[2][3][1][5]
Enterprise T1212 Exploitation for Credential Access

Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials.[4]
Enterprise T1068 Exploitation for Privilege Escalation

Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions.[4]
Enterprise T1133 External Remote Services

Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[1]
Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Leviathan has collected compromised credentials to use for targeting efforts.[1]
Enterprise T1615 Group Policy Discovery

Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[4]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.[4]
Enterprise T1105 Ingress Tool Transfer

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[2][3]
Enterprise T1056 Input Capture

Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.[4]
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. [5]
Enterprise T1534 Internal Spearphishing

Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[1]
Enterprise T1111 Multi-Factor Authentication Interception

Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions.[4]
Enterprise T1135 Network Share Discovery

Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.[4]
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[2]
.003 Obfuscated Files or Information: Steganography

Leviathan has used steganography to hide stolen data inside other files stored on Github.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

Leviathan has obfuscated code using base64.[2]
.015 Obfuscated Files or Information: Compression

Leviathan has obfuscated code using gzip compression.[2]
Enterprise T1588 .006 Obtain Capabilities: Vulnerabilities

Leviathan weaponized publicly-known vulnerabilities for initial access and other purposes during Leviathan Australian Intrusions.[4]
Enterprise T1003 OS Credential Dumping

Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[9]
.001 LSASS Memory

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[9]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[2][1]
.002 Phishing: Spearphishing Link

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[2][1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[5]
Enterprise T1572 Protocol Tunneling

Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Leviathan has targeted RDP credentials and used it to move through the victim environment.[9]

.002 Remote Services: SMB/Windows Admin Shares

Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.[4]
.004 Remote Services: SSH

Leviathan used ssh for internal reconnaissance.[9]

Leviathan used SSH brute force techniques to move laterally within victim environments during Leviathan Australian Intrusions.[4]
Enterprise T1018 Remote System Discovery

Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions.[4]
Enterprise T1594 Search Victim-Owned Websites

Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access during Leviathan Australian Intrusions.[4]
Enterprise T1505 .003 Server Software Component: Web Shell

Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.[9][1][4]

Leviathan relied extensively on web shell use following initial access for persistence and command execution purposes in victim environments during Leviathan Australian Intrusions.[4]
Enterprise T1528 Steal Application Access Token

Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions.[4]
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Leviathan used Kerberoasting techniques during Leviathan Australian Intrusions.[4]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Leviathan has used stolen code signing certificates to sign malware.[3][9]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Leviathan has used regsvr32 for execution.[2]
Enterprise T1082 System Information Discovery

Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions.[4]
Enterprise T1552 Unsecured Credentials

Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions.[4]
.001 Credentials In Files

Leviathan gathered credentials stored in files related to Building Management System (BMS) operations during Leviathan Australian Intrusions.[4]
Enterprise T1204 .001 User Execution: Malicious Link

Leviathan has sent spearphishing email links attempting to get a user to click.[2][1]
.002 User Execution: Malicious File

Leviathan has sent spearphishing attachments attempting to get a user to click.[2][1]
Enterprise T1078 Valid Accounts

Leviathan has obtained valid accounts to gain initial access.[1][5][4]

Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions.[4]
.002 Domain Accounts

Leviathan compromised domain credentials during Leviathan Australian Intrusions.[4]
.003 Local Accounts

Leviathan used captured local account information, such as service accounts, for actions during Leviathan Australian Intrusions.[4]
Enterprise T1102 .003 Web Service: One-Way Communication

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[3]
Enterprise T1047 Windows Management Instrumentation

Leviathan has used WMI for execution.[2]

Software

ID Name References Techniques
S0110 at [9] Scheduled Task/Job: At
S0642 BADFLICK [3][5] Archive Collected Data: Archive via Library, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion
S0190 BITSAdmin [3] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [3] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0020 China Chopper [3][1][5] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [2][3][1] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0021 Derusbi [3][1] Audio Capture, Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0232 HOMEFRY [3] Command and Scripting Interpreter: Windows Command Shell, Obfuscated Files or Information: Encrypted/Encoded File, OS Credential Dumping
S0233 MURKYTOP [3][1] Account Discovery: Local Account, Command and Scripting Interpreter: Windows Command Shell, Indicator Removal: File Deletion, Network Service Discovery, Network Share Discovery, Permission Groups Discovery, Remote System Discovery, Scheduled Task/Job: At, System Information Discovery
S0228 NanHaiShu [2][1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [9] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0229 Orz [2][1][5] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0183 Tor [1] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0005 Windows Credential Editor [9] OS Credential Dumping: LSASS Memory

References

  1. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  2. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  5. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  1. Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
  2. Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
  3. SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
  4. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.