S0228: NanHaiShu
Analyst context for executives and security teams
NanHaiShu matters because ATT&CK describes it as a Windows remote access tool and JScript backdoor, associated through ATT&CK relationships with Leviathan and with behaviors that support execution, persistence, discovery, command-and-control, stealth, and defense impairment. For leaders, the practical issue is not the malware name alone; it is whether the organization can see script-based execution, mshta abuse, Run Key persistence, DNS-based command-and-control, tool transfer, and host discovery quickly enough to support containment decisions.
Executive priority
Prioritize this as a readiness and visibility question for Windows endpoints and network egress, especially for organizations where government, maritime, defense, or South China Sea-related exposure is business-relevant based on ATT&CK’s description. Executives should ask whether SOC and IR teams have evidence for script interpreter activity, DNS anomalies, registry persistence, file deletion, and security-tool tampering, and whether that evidence is retained and usable for incident response and compliance reporting.
Technical view
ATT&CK provides no official detection text for NanHaiShu, so coverage should be validated from the related techniques: JavaScript/JScript and Visual Basic execution, mshta proxy execution, Registry Run Keys/Startup Folder persistence, system/network/user discovery, encrypted or encoded files, file deletion, DNS command-and-control, ingress tool transfer, and disabling or modifying tools. Because the malware object is listed for Windows, SOC teams should focus validation on Windows process, command-line, registry, file, DNS, and security-agent health telemetry while treating cross-platform technique metadata as context rather than proof of local exposure.
Likely telemetry
- Windows process creation and command-line telemetry for script interpreters, mshta.exe, and related child processes
- Windows registry monitoring for Run Keys and Startup Folder persistence locations
- File creation, modification, encoding/obfuscation indicators, tool download/transfer evidence, and file deletion events
- DNS query and response logs, including endpoint-to-domain relationships and unusual DNS usage patterns
- Host discovery evidence such as system, user, and network configuration enumeration
Detection direction
- Do not rely on a NanHaiShu signature alone; validate behavior-based detections across the ATT&CK relationships because official detection guidance is not provided.
- Tune detections for mshta and script execution with attention to administrative false positives, software deployment activity, and legitimate legacy scripts.
- Correlate discovery commands, script execution, persistence changes, DNS traffic, and file deletion into intrusion chains rather than treating each event as isolated low-severity noise.
- Validate DNS monitoring depth, since DNS command-and-control can blend with normal traffic and may be missed if only perimeter allow/deny data is retained.
- Check whether security-tool impairment alerts are collected and escalated; loss of EDR, logging, or sensor visibility should be treated as a detection condition, not just an IT health issue.
Mitigation priorities
- Reduce unnecessary use of Windows script execution paths and mshta where business processes do not require them.
- Harden and monitor Registry Run Keys and Startup Folder locations, with change control for legitimate software that uses them.
- Enforce controlled egress and DNS logging so suspicious command-and-control patterns can be investigated.
- Maintain endpoint and logging-agent tamper protection, health monitoring, and alerting so defense impairment is visible.
- Prepare IR playbooks that preserve process, registry, file, DNS, and endpoint-health evidence before cleanup, because related behaviors include file deletion and obfuscation.
Analyst notes and limits
The ATT&CK object identifies NanHaiShu as a Windows remote access tool and JScript backdoor used by Leviathan, with cited Proofpoint and F-Secure references. The most useful defensive value comes from the related ATT&CK techniques rather than from the malware description alone. Local validation should confirm whether these behaviors are observable in the organization’s actual Windows estate and whether alerts are actionable for SOC and IR teams.
Official detection is not provided, tactics are not specified on the malware object, and no mitigation relationships were supplied. Some related technique platform fields are broader or not Windows-specific, so platform conclusions should be anchored to the malware object’s Windows platform and validated locally. This take does not assert current exploitation, local exposure, or guaranteed detection coverage.
NanHaiShu
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | NanHaiShu encodes files in Base64.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1059.007 | JavaScript Sub-technique | NanHaiShu executes additional Jscript code on the victim's machine.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1685 | Disable or Modify Tools | NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | NanHaiShu executes additional VBScript code on the victim's machine.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1016 | System Network Configuration Discovery | NanHaiShu can gather information about the victim proxy server.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | NanHaiShu can download additional files from URLs.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | NanHaiShu launches a script to delete their original decoy file to cover tracks.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1218.005 | Mshta Sub-technique | NanHaiShu uses mshta.exe to load its program and files.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1071.004 | DNS Sub-technique | NanHaiShu uses DNS for the C2 communications.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.Citationfsecure NanHaiShu July 2016 |
| Enterprise | T1082 | System Information Discovery | NanHaiShu can gather the victim computer name and serial number.CitationProofpoint Leviathan Oct 2017 |
| Enterprise | T1033 | System Owner/User Discovery | NanHaiShu collects the username from the victim.Citationfsecure NanHaiShu July 2016 |
Groups, software, and campaigns
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 15a069aa08f0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint Leviathan Oct 2017
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
Open source URL -
[2]
fsecure NanHaiShu July 2016
F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
Open source URL -
[3]
NanHaiShu
(Citation: Proofpoint Leviathan Oct 2017)
-
[4]
mitre-attack S0228Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.