Leviathan
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 51 attack patterns (mitre), 19 malware, 9 sectors, 3 countries, 105 indicators, 5 vulnerabilities (cve), 7 tool, 1 campaign
Aliases
MUDCARP Kryptonite Panda Gadolinium BRONZE MOHAWK TEMP.Jumper TEMP.Periscope Gingham Typhoon APT40
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- CISA AA21-200A APT40 July 2021
- FireEye APT40 March 2019
- SecureWorks BRONZE MOHAWK n.d.
- Microsoft Threat Actor Naming July 2023
- CISA Leviathan 2024
- Crowdstrike KRYPTONITE PANDA August 2018
- mitre-attack (G0065)
- Accenture MUDCARP March 2019
- MSTIC GADOLINIUM September 2020
- FireEye Periscope March 2018
- Proofpoint Leviathan Oct 2017
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (51)
-
-
-
-
-
-
-
-
Email Accounts usesT1585.002 MITRE
-
-
-
-
Malware (19)
-
BADFLICK uses
-
gh0st RAT - S0032 usesFamily
-
BLACKCOFFEE uses
-
Derusbi uses
-
Orz - S0229 uses
-
NanHaiShu uses
-
Cobalt Strike usesFamily
-
MURKYTOP uses
-
MURKYTOP - S0233 uses
-
Orz uses
-
Derusbi - S0021 uses
-
PowerSploit - S0194 uses
Sectors (9)
-
Healthcare targets
-
Government targets
-
Healthcare research targets
-
Manufacturing targets
-
Defense targets
-
Aerospace targets
-
Education targets
-
Maritime transport targets
-
Transportation targets
Countries (3)
-
United States of America targets
-
China targets
-
Canada targets
Indicators (105)
-
indiadigest.inindicates -
5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362indicates -
nmw4xhipveaca7hm.onion.linkindicates -
2807071ec9d2d3a7e8609e1d16f1e7cce950ae4f57e6b1e0463a34865f75d3a1indicates -
santaclarasystem.usindicates -
ced7ca9625543d3d3d09f70223cc19f0d99e21792854452df5ba84b3a59d17b8indicates -
cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1findicates -
0f64180938cba7b9dc2f754c6a62463a677c13dcfa2cd903e7af39be73d37642indicates -
yootypes.comindicates -
thyssenkrupp-marinesystems.orgindicates -
newbb-news.comindicates -
thestar.liveindicates
Vulnerabilities (CVE) (5)
Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Tool (7)
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
-
Tor usesThe MITRE Corporation Confidence 100
[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
at usesThe MITRE Corporation Confidence 100
[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
The MITRE Corporation Confidence 100
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
Campaign (1)
-
Leviathan Australian Intrusions attributed-to