G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
Analyst context for executives and security teams
Leviathan matters because ATT&CK describes it as a long-running Chinese state-sponsored espionage group associated with targeting sectors where sensitive research, defense, maritime, aviation, healthcare, government, manufacturing, transportation, and similar data can affect strategic advantage and business continuity. For executives, the key issue is not just malware names: the relationship context highlights external service exploitation, credential capture and reuse, privilege escalation, lateral movement, and sensitive data exfiltration in an attributed campaign.
Executive priority
Prioritize this as a resilience and sensitive-data protection planning case if your organization operates in the listed sectors or geographies. Leaders should ask whether externally exposed services, credential stores, remote access paths, and data repositories have measurable control evidence. This object is also useful for board and audit conversations because it connects espionage risk to concrete validation areas: vulnerability management for exposed services, identity hardening, SOC visibility, incident response readiness, and evidence that credential theft and lateral movement can be detected and contained.
Technical view
ATT&CK provides no official detection text for this group, so defenders should validate coverage from the related techniques, campaign, and software relationships. Focus on credential access via OS Credential Dumping and LSASS Memory, lateral movement over RDP and SSH, use of web shells such as China Chopper, command-line administration utilities such as Net, at, and BITSAdmin, PowerShell/post-exploitation frameworks such as PowerSploit, Empire, and Cobalt Strike, and remote access/backdoor tooling including NanHaiShu, Orz, BADFLICK, Derusbi, gh0st RAT, BLACKCOFFEE, HOMEFRY, and MURKYTOP. The campaign relationship makes credential capture and reuse especially important to validate across Windows, Linux, macOS, and ESXi where those related techniques or tools list support.
Likely telemetry
- External-facing service logs, web server logs, and file integrity evidence for possible web shell placement or access patterns
- Identity and authentication logs for successful and failed logons, unusual credential reuse, RDP sessions, SSH sessions, and privilege changes
- Endpoint process creation and command-line telemetry for Net, at, BITSAdmin, PowerShell, and post-exploitation framework activity
- Windows security and EDR telemetry around LSASS access, credential dumping behavior, suspicious handles, memory access, or dump file creation
- Network, DNS, proxy, and firewall logs for remote access tooling, anonymization infrastructure such as Tor, and unusual outbound connections
Detection direction
- Because MITRE does not provide group-specific detection guidance, map detections to the related techniques and software rather than relying on the Leviathan name alone.
- Validate that credential dumping detections cover both generic OS credential access and Windows LSASS access, and tune for legitimate administrative or security-tool activity to reduce false positives.
- Correlate remote access logons over RDP and SSH with prior credential events, new administrative access, unusual source hosts, and lateral movement sequences.
- Hunt for living-off-the-land command usage involving Net, at, BITSAdmin, and PowerShell where execution context, parent process, destination, or timing is abnormal.
- For web shell risk, confirm that internet-facing application logs, server-side file writes, and web process child process execution are collected and reviewable.
Mitigation priorities
- Start with externally exposed service governance: inventory, patch prioritization, secure configuration, and monitoring evidence for internet-facing systems.
- Harden identity paths next: least privilege, privileged account separation, MFA where applicable, credential hygiene, and controls that reduce credential reuse after compromise.
- Restrict and monitor administrative remote access such as RDP and SSH, including segmentation and logging sufficient for incident reconstruction.
- Reduce credential dumping opportunity through endpoint hardening, privileged access controls, and monitoring of LSASS and other credential stores.
- Constrain abuse of built-in tools and scripting through policy, allowlisting, script logging, and administrative workflow review where operationally feasible.
Analyst notes and limits
This take is based on ATT&CK group G0065, its aliases, official description, external references, and the supplied relationships. The most decision-useful relationship is the Leviathan Australian Intrusions campaign, which explicitly notes external service exploitation followed by credential capture and reuse, privilege escalation, lateral movement, and sensitive data exfiltration. The software relationships also indicate a mix of custom malware, public tools, remote access frameworks, web shells, credential tools, and built-in administrative utilities.
The ATT&CK object does not specify platforms or tactics directly and provides no official detection section. Platforms and tactics referenced here come from supplied related techniques and software, not from a group-level platform declaration. Local exposure, sector relevance, telemetry availability, and confirmed detection coverage must be validated in the organization’s own environment.
Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.CitationProofpoint Leviathan Oct 2017CitationFireEye Periscope March 2018 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Leviathan has conducted reconnaissance against target networks of interest looking for vulnerable, end-of-life, or no longer maintainted devices against which to rapidly deploy exploits.CitationCISA Leviathan 2024 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.CitationFireEye Periscope March 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | Leviathan has used WMI for execution.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1021.004 | SSH Sub-technique | Leviathan used ssh for internal reconnaissance.CitationFireEye APT40 March 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Leviathan has downloaded additional scripts and files from adversary-controlled servers.CitationProofpoint Leviathan Oct 2017CitationFireEye Periscope March 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.CitationProofpoint Leviathan Oct 2017CitationFireEye Periscope March 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Leviathan has obfuscated code using base64.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1589.001 | Credentials Sub-technique | Leviathan has collected compromised credentials to use for targeting efforts.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.CitationFireEye APT40 March 2019 |
| Enterprise | T1586.001 | Social Media Accounts Sub-technique | Leviathan has compromised social media accounts to conduct social engineering attacks.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1583.001 | Domains Sub-technique | Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. CitationCISA AA21-200A APT40 July 2021CitationAccenture MUDCARP March 2019 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Leviathan has created new email accounts for targeting efforts.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.CitationProofpoint Leviathan Oct 2017CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1189 | Drive-by Compromise | Leviathan has infected victims using watering holes.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Leviathan has used WMI for persistence.CitationFireEye Periscope March 2018 |
| Enterprise | T1027.003 | Steganography Sub-technique | Leviathan has used steganography to hide stolen data inside other files stored on Github.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Leviathan has created new social media accounts for targeting efforts.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Leviathan has used PowerShell for execution.CitationProofpoint Leviathan Oct 2017CitationFireEye Periscope March 2018CitationCISA AA21-200A APT40 July 2021CitationAccenture MUDCARP March 2019 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.CitationProofpoint Leviathan Oct 2017CitationFireEye Periscope March 2018 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.CitationProofpoint Leviathan Oct 2017CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1584.004 | Server Sub-technique | Leviathan has used compromised legitimate websites as command and control nodes for operations.CitationCISA Leviathan 2024 |
| Enterprise | T1203 | Exploitation for Client Execution | Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.CitationProofpoint Leviathan Oct 2017CitationFireEye Periscope March 2018CitationCISA AA21-200A APT40 July 2021CitationAccenture MUDCARP March 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Leviathan has used VBScript.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1078 | Valid Accounts | Leviathan has obtained valid accounts to gain initial access.CitationCISA AA21-200A APT40 July 2021CitationAccenture MUDCARP March 2019CitationCISA Leviathan 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Leviathan has used stolen code signing certificates to sign malware.CitationFireEye Periscope March 2018CitationFireEye APT40 March 2019 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. CitationAccenture MUDCARP March 2019 |
| Enterprise | T1587.004 | Exploits Sub-technique | Leviathan has rapidly transformed and adapted public exploit proof-of-concept code for new vulnerabilities and utilized them against target networks.CitationCISA Leviathan 2024 |
| Enterprise | T1197 | BITS Jobs | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.CitationFireEye Periscope March 2018CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Leviathan has sent spearphishing attachments attempting to get a user to click.CitationProofpoint Leviathan Oct 2017CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | Leviathan has staged data remotely prior to exfiltration.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1534 | Internal Spearphishing | Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1190 | Exploit Public-Facing Application | Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks.CitationCISA Leviathan 2024 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Leviathan has used regsvr32 for execution.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Leviathan has exfiltrated data over its C2 channel.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.CitationFireEye APT40 March 2019CitationCISA AA21-200A APT40 July 2021CitationCISA Leviathan 2024 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Leviathan has targeted RDP credentials and used it to move through the victim environment.CitationFireEye APT40 March 2019 |
| Enterprise | T1584.008 | Network Devices Sub-technique | Leviathan has used compromised networking devices, such as small office/home office (SOHO) devices, as operational command and control infrastructure.CitationCISA Leviathan 2024 |
| Enterprise | T1027.015 | Compression Sub-technique | Leviathan has obfuscated code using gzip compression.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1560 | Archive Collected Data | Leviathan has archived victim's data prior to exfiltration.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1572 | Protocol Tunneling | Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Leviathan has sent spearphishing email links attempting to get a user to click.CitationProofpoint Leviathan Oct 2017CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1133 | External Remote Services | Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.CitationCISA AA21-200A APT40 July 2021 |
| Enterprise | T1003 | OS Credential Dumping | |
| Enterprise | T1586.002 | Email Accounts Sub-technique | Leviathan has compromised email accounts to conduct social engineering attacks.CitationCISA AA21-200A APT40 July 2021 |
Groups, software, and campaigns
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
S0190: BITSAdmin
S0232: HOMEFRY
S0021: Derusbi
S0110: at
S0069: BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]
S0642: BADFLICK
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0032: gh0st RAT
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0233: MURKYTOP
C0049: Leviathan Australian Intrusions
Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.1 | Current bundle | 18ed60da4f10… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA AA21-200A APT40 July 2021
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Open source URL -
[2]
Proofpoint Leviathan Oct 2017
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
Open source URL -
[3]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[4]
CISA Leviathan 2024
CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
Open source URL -
[5]
APT40
FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
-
[6]
Accenture MUDCARP March 2019
Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Open source URL -
[7]
BRONZE MOHAWK
(Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.)
-
[8]
Crowdstrike KRYPTONITE PANDA August 2018
Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
Open source URL -
[9]
FireEye APT40 March 2019
Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
Open source URL -
[10]
Gadolinium
(Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020)
-
[11]
Gingham Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)
-
[12]
Kryptonite Panda
(Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018)
-
[13]
Leviathan
(Citation: Proofpoint Leviathan Oct 2017)
-
[14]
MSTIC GADOLINIUM September 2020
Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
Open source URL -
[15]
MUDCARP
(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)
-
[16]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[17]
SecureWorks BRONZE MOHAWK n.d.
SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
Open source URL -
[18]
TEMP.Jumper
[Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019)
-
[19]
TEMP.Periscope
[Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
-
[20]
mitre-attack G0065Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.