Leviathan

OriginChina

Techniques (MITRE ATT&CK)50

SourceMITRE ATT&CK

Also known as:MUDCARPKryptonite PandaGadoliniumBRONZE MOHAWKTEMP.JumperAPT40TEMP.PeriscopeGingham Typhoon

Vexday analysis

Leviathan é um grupo de espionagem cibernética patrocinado pelo Estado chinês, atribuído ao Departamento de Segurança Estatal de Hainan, vinculado ao Ministério de Segurança do Estado (MSS), e a uma empresa de fachada associada. Ativo desde pelo menos 2009, o grupo tem como alvos setores como academia, aeroespacial e aviação, biomédico, base industrial de defesa, governo, saúde, manufatura, marítimo e transporte, com atuação registrada nos Estados Unidos, Canadá, Austrália, Europa, Oriente Médio e Sudeste Asiático. Também rastreado como APT40, MUDCARP, Gadolinium, BRONZE MOHAWK, TEMP.Jumper e Kryptonite Panda, o grupo possui 50 técnicas documentadas no MITRE ATT&CK e 5 CVEs a ele atribuídas.

Techniques (MITRE ATT&CK) 50

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance

Credentials Vulnerability Scanning

Resource development

Domains Server Network Devices Social Media Accounts Email Accounts Social Media Accounts Email Accounts Exploits

Initial access

Drive-by Compromise Exploit Public-Facing Application Spearphishing Attachment Spearphishing Link

Execution

Windows Management Instrumentation PowerShell Visual Basic Exploitation for Client Execution Malicious Link Malicious File Dynamic Data Exchange

Persistence

External Remote Services Web Shell Registry Run Keys / Startup Folder Shortcut Modification

Privilege escalation

Windows Management Instrumentation Event Subscription

Credential access

OS Credential Dumping LSASS Memory

Lateral movement

Remote Desktop Protocol SSH Internal Spearphishing

Collection

Local Data Staging Remote Data Staging Archive Collected Data

Command and control

Multi-hop Proxy One-Way Communication Ingress Tool Transfer Protocol Tunneling

Exfiltration

Exfiltration Over C2 Channel Exfiltration to Cloud Storage

defense-impairment

Code Signing

stealth

Binary Padding Steganography Encrypted/Encoded File Compression Dynamic-link Library Injection Valid Accounts Deobfuscate/Decode Files or Information BITS Jobs Regsvr32

Exploited vulnerabilities 5

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2017-11882HIGHEPSS 100%KEV CVE-2014-7169CRITICALEPSS 100%KEV CVE-2017-0199HIGHEPSS 100%KEV CVE-2017-8759HIGHEPSS 89%KEV CVE-2016-6662EPSS 68%

Leviathan uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →