Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0233: MURKYTOP

MURKYTOP is a reconnaissance tool used by Leviathan. [1]

EnterpriseS0233MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

MURKYTOP is a Windows reconnaissance tool associated in ATT&CK with Leviathan. Its business significance is not the tool name itself, but the kind of early intrusion activity it represents: mapping systems, services, accounts, permissions, shares, and host details so an operator can decide where to move next and what data or systems may be valuable.

Executive priority

Treat this as a validation point for discovery-stage defense and incident readiness. Leaders should ask whether the organization can quickly prove what a Windows host enumerated across the network, which accounts and groups were queried, whether scheduled execution via At occurred, and whether evidence was deleted. This matters for containment scope, audit evidence, and prioritizing controls around internal visibility, identity hygiene, and segmentation.

Technical view

ATT&CK does not provide a dedicated detection for MURKYTOP, so coverage should be validated through the related behaviors: Remote System Discovery, Network Service Discovery, At-based scheduled execution, Windows Command Shell execution, Permission Groups Discovery, File Deletion, System Information Discovery, Local Account discovery, and Network Share Discovery. SOC and IR teams should test whether Windows endpoint, command-line, scheduled task, authentication/identity, SMB/share, and network telemetry can reconstruct these behaviors from a suspected host.

Likely telemetry

  • Windows process creation and command-line telemetry, especially cmd.exe and discovery utilities
  • Scheduled execution evidence related to the At utility
  • Host inventory and system information queries
  • Local account, group, and permission enumeration events
  • Network connection and scan-like activity from Windows endpoints to internal systems and services

Detection direction

  • Do not rely on a MURKYTOP-specific signature alone; validate behavioral detections mapped to the related ATT&CK techniques.
  • Tune for clusters of discovery activity from one Windows host, such as account enumeration plus network share discovery plus remote system or service enumeration.
  • Review expected administrative activity to reduce false positives, since legitimate IT tools and administrators may perform similar discovery.
  • Prioritize visibility into command-line arguments, scheduled execution, and internal network enumeration because ATT&CK provides no official detection text for this malware object.
  • Use the Leviathan relationship as threat-intelligence context, not as proof of attribution in a local incident.

Mitigation priorities

  • Ensure endpoint logging and retention are sufficient before an incident, especially for Windows process execution, scheduled tasks, file deletion, and network discovery evidence.
  • Limit unnecessary internal discovery opportunities through network segmentation, least privilege, and controlled access to shares and administrative interfaces.
  • Harden identity and access management by reviewing local accounts, group memberships, and elevated permissions that discovery activity would expose.
  • Prepare IR playbooks to scope reconnaissance from a compromised host and preserve evidence where file deletion may have occurred.
  • Use the related techniques to drive control validation and detection engineering rather than treating the malware name as the primary control objective.
Analyst notes and limits

The supplied ATT&CK object identifies MURKYTOP as a reconnaissance tool used by Leviathan and provides relationships to several discovery, execution, persistence/privilege-escalation, and stealth techniques. The strongest defensive value is in validating whether the environment can detect and investigate those behaviors on Windows systems.

ATT&CK provides no official detection text, no aliases, no labels, and no malware-specific tactics for this object. The official platform is Windows, while some related techniques include additional platforms; this take does not extend MURKYTOP platform coverage beyond the supplied malware platform. Local telemetry, baselines, and incident evidence are required to determine actual exposure or activity.

Official MITRE ATT&CK definition

MURKYTOP

MURKYTOP is a reconnaissance tool used by Leviathan. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1018 Remote System Discovery

MURKYTOP has the capability to identify remote hosts on connected networks.CitationFireEye Periscope March 2018
Enterprise T1082 System Information Discovery

MURKYTOP has the capability to retrieve information about the OS.CitationFireEye Periscope March 2018
Enterprise T1070.004 File Deletion Sub-technique

MURKYTOP has the capability to delete local files.CitationFireEye Periscope March 2018
Enterprise T1059.003 Windows Command Shell Sub-technique

MURKYTOP uses the command-line interface.CitationFireEye Periscope March 2018
Enterprise T1069 Permission Groups Discovery

MURKYTOP has the capability to retrieve information about groups.CitationFireEye Periscope March 2018
Enterprise T1053.002 At Sub-technique

MURKYTOP has the capability to schedule remote AT jobs.CitationFireEye Periscope March 2018
Enterprise T1135 Network Share Discovery

MURKYTOP has the capability to retrieve information about shares on remote hosts.CitationFireEye Periscope March 2018
Enterprise T1046 Network Service Discovery

MURKYTOP has the capability to scan for open ports on hosts in a connected network.CitationFireEye Periscope March 2018
Enterprise T1087.001 Local Account Sub-technique

MURKYTOP has the capability to retrieve information about users on remote hosts.CitationFireEye Periscope March 2018
Associated objects

Groups, software, and campaigns

Group Enterprise

G0065: Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1018: Remote System Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1069: Permission Groups Discovery Enterprise uses · Technique T1053.002: At Enterprise uses · Group G0065: Leviathan Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Technique T1087.001: Local Account Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
fec5572a0fab0076...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle fec5572a0fab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye Periscope March 2018

    FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

    Open source URL
  2. [2]
    MURKYTOP

    (Citation: FireEye Periscope March 2018)

  3. [3]
    mitre-attack S0233
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use