Leviathan
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 51 attack patterns (mitre), 19 malware, 9 sectors, 3 countries, 105 indicators, 5 vulnerabilities (cve), 7 tool, 1 campaign
Aliases
MUDCARP Kryptonite Panda Gadolinium BRONZE MOHAWK TEMP.Jumper TEMP.Periscope Gingham Typhoon APT40
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- CISA AA21-200A APT40 July 2021
- FireEye APT40 March 2019
- SecureWorks BRONZE MOHAWK n.d.
- Microsoft Threat Actor Naming July 2023
- CISA Leviathan 2024
- Crowdstrike KRYPTONITE PANDA August 2018
- mitre-attack (G0065)
- Accenture MUDCARP March 2019
- MSTIC GADOLINIUM September 2020
- FireEye Periscope March 2018
- Proofpoint Leviathan Oct 2017
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (51)
-
Network Devices uses
-
T1047 usesWindows Management Instrumentation MITRE
-
T1559.002 MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1595.002 usesVulnerability Scanning MITRE
-
T1546.003 MITRE
-
T1190 usesExploit Public-Facing Application MITRE
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1585.001 usesSocial Media Accounts MITRE
-
T1534 usesInternal Spearphishing MITRE
-
T1505.003 usesWeb Shell MITRE
-
T1189 usesDrive-by Compromise MITRE
Malware (19)
-
BADFLICK uses
-
gh0st RAT - S0032 usesFamily
-
BLACKCOFFEE uses
-
Derusbi uses
-
Orz - S0229 uses
-
NanHaiShu usesFamily The MITRE Corporation Confidence 100
[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily
-
MURKYTOP usesFamily The MITRE Corporation Confidence 100
[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MURKYTOP - S0233 uses
-
Orz uses
-
Derusbi - S0021 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerSploit - S0194 uses
Sectors (9)
-
Healthcare targets
-
Government targets
-
Healthcare research targets
-
Manufacturing targets
-
Defense targets
-
Aerospace targets
-
Education targets
-
Maritime transport targets
-
Transportation targets
Countries (3)
-
United States of America targets
-
China targets
-
Canada targets
Indicators (105)
-
stix 100/100 Revoked· Valid until 15/11/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 15/11/2022 · Source: AlienVault
-
e560fae7d952371818608846ca31f5148921be58c271fb4a229542cc94fca12cindicates -
stix 100/100 Revoked· Valid until 15/11/2022 · Source: AlienVault
-
msusanode.comindicates -
32510b0d2073dd362141203042ab4b0f95e9562e5bb27c958ec8d1e3d6d34c1cindicates -
4fbad1564a8f855f10dd0d57c6e9d4c2822acf61f334bf955c401220b3daccd6indicates -
tojenner97.chickenkiller.comindicatesstix 100/100 Revoked· Valid until 01/11/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 15/11/2022 · Source: AlienVault
-
3ca6c8d0c27a7d8099d68a4fa99b3cc0983f2e079a5faca6e248cbff8054ebceindicates -
6fd2a8116d7315d8e6a0512e9622b9ee5d5dd30b12f625534e1e82d7f61e1bddindicates -
d69a8b8e6c4ae87d5511735e338c5d2dc2188f137131dbb44e21a896a8adbdc9indicates
Vulnerabilities (CVE) (5)
Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Tool (7)
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
-
Tor usesThe MITRE Corporation Confidence 100
[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
at usesThe MITRE Corporation Confidence 100
[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
The MITRE Corporation Confidence 100
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
Campaign (1)
-
Leviathan Australian Intrusions attributed-to