G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
Analyst context for executives and security teams
Leviathan matters because ATT&CK describes it as a long-running Chinese state-sponsored espionage group associated with targeting sectors where sensitive research, defense, maritime, aviation, healthcare, government, manufacturing, transportation, and similar data can affect strategic advantage and business continuity. For executives, the key issue is not just malware names: the relationship context highlights external service exploitation, credential capture and reuse, privilege escalation, lateral movement, and sensitive data exfiltration in an attributed campaign.
Executive priority
Prioritize this as a resilience and sensitive-data protection planning case if your organization operates in the listed sectors or geographies. Leaders should ask whether externally exposed services, credential stores, remote access paths, and data repositories have measurable control evidence. This object is also useful for board and audit conversations because it connects espionage risk to concrete validation areas: vulnerability management for exposed services, identity hardening, SOC visibility, incident response readiness, and evidence that credential theft and lateral movement can be detected and contained.
Technical view
ATT&CK provides no official detection text for this group, so defenders should validate coverage from the related techniques, campaign, and software relationships. Focus on credential access via OS Credential Dumping and LSASS Memory, lateral movement over RDP and SSH, use of web shells such as China Chopper, command-line administration utilities such as Net, at, and BITSAdmin, PowerShell/post-exploitation frameworks such as PowerSploit, Empire, and Cobalt Strike, and remote access/backdoor tooling including NanHaiShu, Orz, BADFLICK, Derusbi, gh0st RAT, BLACKCOFFEE, HOMEFRY, and MURKYTOP. The campaign relationship makes credential capture and reuse especially important to validate across Windows, Linux, macOS, and ESXi where those related techniques or tools list support.
Likely telemetry
- External-facing service logs, web server logs, and file integrity evidence for possible web shell placement or access patterns
- Identity and authentication logs for successful and failed logons, unusual credential reuse, RDP sessions, SSH sessions, and privilege changes
- Endpoint process creation and command-line telemetry for Net, at, BITSAdmin, PowerShell, and post-exploitation framework activity
- Windows security and EDR telemetry around LSASS access, credential dumping behavior, suspicious handles, memory access, or dump file creation
- Network, DNS, proxy, and firewall logs for remote access tooling, anonymization infrastructure such as Tor, and unusual outbound connections
Detection direction
- Because MITRE does not provide group-specific detection guidance, map detections to the related techniques and software rather than relying on the Leviathan name alone.
- Validate that credential dumping detections cover both generic OS credential access and Windows LSASS access, and tune for legitimate administrative or security-tool activity to reduce false positives.
- Correlate remote access logons over RDP and SSH with prior credential events, new administrative access, unusual source hosts, and lateral movement sequences.
- Hunt for living-off-the-land command usage involving Net, at, BITSAdmin, and PowerShell where execution context, parent process, destination, or timing is abnormal.
- For web shell risk, confirm that internet-facing application logs, server-side file writes, and web process child process execution are collected and reviewable.
Mitigation priorities
- Start with externally exposed service governance: inventory, patch prioritization, secure configuration, and monitoring evidence for internet-facing systems.
- Harden identity paths next: least privilege, privileged account separation, MFA where applicable, credential hygiene, and controls that reduce credential reuse after compromise.
- Restrict and monitor administrative remote access such as RDP and SSH, including segmentation and logging sufficient for incident reconstruction.
- Reduce credential dumping opportunity through endpoint hardening, privileged access controls, and monitoring of LSASS and other credential stores.
- Constrain abuse of built-in tools and scripting through policy, allowlisting, script logging, and administrative workflow review where operationally feasible.
Analyst notes and limits
This take is based on ATT&CK group G0065, its aliases, official description, external references, and the supplied relationships. The most decision-useful relationship is the Leviathan Australian Intrusions campaign, which explicitly notes external service exploitation followed by credential capture and reuse, privilege escalation, lateral movement, and sensitive data exfiltration. The software relationships also indicate a mix of custom malware, public tools, remote access frameworks, web shells, credential tools, and built-in administrative utilities.
The ATT&CK object does not specify platforms or tactics directly and provides no official detection section. Platforms and tactics referenced here come from supplied related techniques and software, not from a group-level platform declaration. Local exposure, sector relevance, telemetry availability, and confirmed detection coverage must be validated in the organization’s own environment.
Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
S0190: BITSAdmin
S0232: HOMEFRY
S0021: Derusbi
S0110: at
S0069: BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]
S0642: BADFLICK
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0032: gh0st RAT
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0233: MURKYTOP
C0049: Leviathan Australian Intrusions
Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.1 | Current bundle | 18ed60da4f10… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA AA21-200A APT40 July 2021
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Open source URL -
[2]
Proofpoint Leviathan Oct 2017
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
Open source URL -
[3]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[4]
CISA Leviathan 2024
CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
Open source URL -
[5]
FireEye APT40 March 2019
Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
Open source URL -
[6]
Accenture MUDCARP March 2019
Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Open source URL -
[7]
APT40
FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
-
[8]
BRONZE MOHAWK
(Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.)
-
[9]
Crowdstrike KRYPTONITE PANDA August 2018
Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
Open source URL -
[10]
Gadolinium
(Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020)
-
[11]
Gingham Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)
-
[12]
Kryptonite Panda
(Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018)
-
[13]
Leviathan
(Citation: Proofpoint Leviathan Oct 2017)
-
[14]
MSTIC GADOLINIUM September 2020
Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
Open source URL -
[15]
MUDCARP
(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)
-
[16]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[17]
SecureWorks BRONZE MOHAWK n.d.
SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
Open source URL -
[18]
TEMP.Jumper
[Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019)
-
[19]
TEMP.Periscope
[Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
-
[20]
mitre-attack G0065Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.