Leviathan
Aliases: MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.
Open interactive actor investigation
ATT&CK techniques
T1567.002
Exfiltration to Cloud StorageT1102.003
One-Way CommunicationT1047
Windows Management InstrumentationT1021.004
SSHT1105
Ingress Tool TransferT1547.001
Registry Run Keys / Startup FolderT1027.013
Encrypted/Encoded FileT1589.001
CredentialsT1003.001
LSASS MemoryT1586.001
Social Media AccountsT1090.003
Multi-hop ProxyT1027.001
Binary PaddingT1583.001
DomainsT1585.002
Email AccountsT1566.002
Spearphishing LinkT1189
Drive-by CompromiseT1546.003
Windows Management Instrumentation Event SubscriptionT1027.003
SteganographyT1585.001
Social Media AccountsT1059.001
PowerShellT1547.009
Shortcut ModificationT1055.001
Dynamic-link Library InjectionT1566.001
Spearphishing AttachmentT1203
Exploitation for Client ExecutionT1059.005
Visual BasicT1078
Valid AccountsT1553.002
Code SigningT1559.002
Dynamic Data ExchangeT1197
BITS JobsT1074.001
Local Data StagingT1204.002
Malicious FileT1140
Deobfuscate/Decode Files or InformationT1074.002
Remote Data StagingT1534
Internal SpearphishingT1218.010
Regsvr32T1041
Exfiltration Over C2 ChannelT1505.003
Web ShellT1021.001
Remote Desktop ProtocolT1560
Archive Collected DataT1572
Protocol TunnelingT1204.001
Malicious LinkT1133
External Remote ServicesT1003
OS Credential DumpingT1586.002
Email AccountsT1059.003
Windows Command Shell
Exfiltration to Cloud StorageT1102.003
One-Way CommunicationT1047
Windows Management InstrumentationT1021.004
SSHT1105
Ingress Tool TransferT1547.001
Registry Run Keys / Startup FolderT1027.013
Encrypted/Encoded FileT1589.001
CredentialsT1003.001
LSASS MemoryT1586.001
Social Media AccountsT1090.003
Multi-hop ProxyT1027.001
Binary PaddingT1583.001
DomainsT1585.002
Email AccountsT1566.002
Spearphishing LinkT1189
Drive-by CompromiseT1546.003
Windows Management Instrumentation Event SubscriptionT1027.003
SteganographyT1585.001
Social Media AccountsT1059.001
PowerShellT1547.009
Shortcut ModificationT1055.001
Dynamic-link Library InjectionT1566.001
Spearphishing AttachmentT1203
Exploitation for Client ExecutionT1059.005
Visual BasicT1078
Valid AccountsT1553.002
Code SigningT1559.002
Dynamic Data ExchangeT1197
BITS JobsT1074.001
Local Data StagingT1204.002
Malicious FileT1140
Deobfuscate/Decode Files or InformationT1074.002
Remote Data StagingT1534
Internal SpearphishingT1218.010
Regsvr32T1041
Exfiltration Over C2 ChannelT1505.003
Web ShellT1021.001
Remote Desktop ProtocolT1560
Archive Collected DataT1572
Protocol TunnelingT1204.001
Malicious LinkT1133
External Remote ServicesT1003
OS Credential DumpingT1586.002
Email AccountsT1059.003
Windows Command Shell