analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt40-leviathan
analyst@nohacky:~/apt40-leviathan.html
active threat profile
type nation-state
threat_level high
status active
origin People's Republic of China
last_updated 2026-03-13
A4
apt40-leviathan

APT40 (Leviathan)

also known as: Leviathan TEMP.Periscope Kryptonite Panda

APT40 is a Chinese state-linked espionage cluster tracked as MITRE ATT&CK G0065 and widely associated with the Hainan State Security Department. The group is notable for long-running intrusions against maritime, government, research, transportation, healthcare, and industrial targets using phishing, public-facing application exploitation, credential theft, web shells, and custom malware.

attributed origin People's Republic of China
suspected sponsor Ministry of State Security-linked operators via Hainan State Security Department
first observed 2009
primary motivation Espionage
primary targets Maritime, government, research and academia
known campaigns 3+ public campaigns
mitre att&ck group G0065
target regions United States, Australia, Europe, Southeast Asia, Middle East
threat level high

Overview

APT40, also referred to as Leviathan, TEMP.Periscope, and in some reporting Bronze Mohawk, is a PRC-linked cyber espionage group attributed by MITRE and government reporting to operators supporting the Hainan State Security Department. Public reporting and the 2021 U.S. Department of Justice indictment tied Hainan Xiandun Technology Development Co. to long-running intrusion activity aligned with Chinese state interests. APT40 has repeatedly targeted maritime and transportation entities, government agencies, universities, research institutions, healthcare and biopharmaceutical organizations, and defense-related sectors. The group's tradecraft combines targeted phishing, exploitation of internet-facing systems, credential collection, web shells, and custom malware families to establish persistence and exfiltrate sensitive information.

Target Profile

APT40 primarily targets organizations whose data can support geopolitical, economic, defense-industrial, maritime, and technology collection requirements aligned with PRC state objectives.

  • Maritime and transportation: APT40 has repeatedly targeted maritime engineering, shipping, offshore operations, and transportation-related entities to collect strategic and commercial information tied to the South China Sea and broader regional competition.
  • Government, defense, and critical sectors: The group targets ministries, contractors, and supporting ecosystems to obtain policy, procurement, operational, and technology information useful for state intelligence requirements.
  • Academia, healthcare, and research: Universities, biopharmaceutical organizations, and research institutions have been targeted for intellectual property, scientific data, and access pathways into partner networks.

Tactics, Techniques & Procedures

Public reporting and ATT&CK mappings show APT40 using a mix of credential access, web exploitation, web shells, remote services, and staged exfiltration. The table below highlights representative techniques strongly associated with Leviathan activity.

mitre id technique description
T1190 Exploit Public-Facing Application APT40 has exploited vulnerable internet-facing applications and appliances for initial access into victim environments.
T1505.003 Server Software Component: Web Shell Leviathan has repeatedly used web shells to maintain access, execute commands, and support follow-on intrusion activity.
T1111 Multi-Factor Authentication Interception MITRE documents Leviathan collecting MFA token values during Australian intrusions after compromising edge infrastructure.
T1041 Exfiltration Over C2 Channel APT40 has staged and exfiltrated victim data over existing command-and-control channels after internal discovery and collection.

Known Campaigns

Confirmed or highly attributed operations linked to this threat actor.

South China Sea-focused maritime intrusion activity 2013-2018

Multiple public reports linked Leviathan to campaigns against U.S. engineering, maritime, and transportation organizations using spearphishing and malware such as MURKYTOP, LOWBALL, and web shells to establish footholds and steal sensitive information.

Global intrusion campaign charged by U.S. DOJ 2021

The 2021 DOJ case described a years-long campaign by Hainan MSS-linked operators against governments, companies, and universities across multiple countries, including aviation, defense, education, healthcare, maritime, and biopharma victims.

Leviathan Australian Intrusions 2022

The 2021 DOJ case described a years-long campaign by Hainan MSS-linked operators against governments, companies, and universities across multiple countries, including aviation, defense, education, healthcare, maritime, and biopharma victims.

Tools & Malware

APT40 has been associated with a mix of custom malware, post-exploitation tooling, and web shell activity documented across public reporting.

  • NanHaiShu: A remote access tool and JScript backdoor used in Leviathan operations, especially against organizations tied to South China Sea disputes.
  • MURKYTOP: A reconnaissance and lateral movement utility capable of enumerating hosts, shares, users, groups, scheduled tasks, and open ports inside victim networks.
  • Orz / AIRBREAK and web shells: Leviathan has been linked to custom JavaScript backdoors and persistent web shell usage, including China Chopper-style web shell tradecraft in compromised web environments.

Mitigation & Defense

Defensive priorities should focus on internet-facing attack surface reduction, credential protection, detection of web shell and post-exploitation activity, and tighter monitoring of privileged access and data staging behavior.

  • Harden and patch public-facing systems: Prioritize rapid remediation of internet-exposed applications, VPNs, edge devices, and appliances because APT40 has repeatedly exploited public-facing services for initial access.
  • Detect credential theft and session abuse: Monitor for LSASS access, unusual token use, MFA interception patterns, Kerberoasting indicators, and abnormal authentication flows from edge infrastructure into internal services.
  • Hunt for web shells and lateral movement: Inspect web roots, IIS and application logs, scheduled tasks, service creation, SMB admin share abuse, remote PowerShell, SSH activity, and unusual outbound data transfers from application servers.
note

Alias mapping across vendors is imperfect. Leviathan, APT40, TEMP.Periscope, Kryptonite Panda, and Bronze Mohawk are often used for overlapping activity, but not every vendor scope is perfectly identical. Treat naming differences as analytic clustering differences rather than proof of separate actors.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile