{
	"id": "0aac60ba-6cbc-406d-99ab-210138ab511e",
	"created_at": "2026-04-06T00:13:27.449547Z",
	"updated_at": "2026-04-10T13:13:06.921285Z",
	"deleted_at": null,
	"sha1_hash": "2688d3efc336bc7e41529d56511b8372966f1c0a",
	"title": "Leviathan, APT 40, TEMP.Periscope - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83757,
	"plain_text": "Leviathan, APT 40, TEMP.Periscope - Threat Group Cards: A\r\nThreat Actor Encyclopedia\r\nArchived: 2026-04-05 16:57:07 UTC\r\nHome \u003e List all groups \u003e Leviathan, APT 40, TEMP.Periscope\r\n APT group: Leviathan, APT 40, TEMP.Periscope\r\nNames\r\nLeviathan (CrowdStrike)\r\nKryptonite Panda (CrowdStrike)\r\nAPT 40 (Mandiant)\r\nTEMP.Periscope (FireEye)\r\nTEMP.Jumper (FireEye)\r\nBronze Mohawk (SecureWorks)\r\nMudcarp (iDefense)\r\nGadolinium (Microsoft)\r\nATK 29 (Thales)\r\nITG09 (IBM)\r\nTA423 (Proofpoint)\r\nRed Ladon (PWC)\r\nGingham Typhoon (Microsoft)\r\nISLANDDREAMS (Google)\r\nJumper Taurus (Palo Alto)\r\nG0065 (MITRE)\r\nCountry China\r\nSponsor State-sponsored, Ministry of State Security, Hainan province\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription (FireEye) FireEye is highlighting a cyber espionage operation targeting crucial\r\ntechnologies and traditional intelligence targets from a China-nexus state sponsored\r\nactor we call APT40. The actor has conducted operations since at least 2013 in\r\nsupport of China’s naval modernization effort. The group has specifically targeted\r\nengineering, transportation, and the defense industry, especially where these sectors\r\noverlap with maritime technologies. More recently, we have also observed specific\r\ntargeting of countries strategically important to the Belt and Road Initiative\r\nincluding Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06\r\nPage 1 of 4\n\nNorway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.\nThis China-nexus cyber espionage group was previously reported as\nTEMP.Periscope and TEMP.Jumper.\nAlso see Hafnium.\nObserved\nSectors: Defense, Engineering, Government, Manufacturing, Research, Shipping and\nLogistics, Transportation and other Maritime-related targets across multiple\nverticals.\nCountries: Belgium, Cambodia, Germany, Hong Kong, Indonesia, Laos, Malaysia,\nMyanmar, New Zealand, Norway, Philippines, Saudi Arabia, Switzerland, Thailand,\nUK, USA, Vietnam and Asia Pacific Economic Cooperation (APEC).\nTools used\nAIRBREAK, BADFLICK, BlackCoffee, China Chopper, Cobalt Strike, DADJOKE,\nDadstache, Derusbi, Gh0st RAT, GRILLMARK, HOMEFRY, LUNCHMONEY,\nMURKYTOP, NanHaiShu, PlugX, scanbox, SeDLL, Windows Credentials Editor,\nZXShell, Living off the Land.\nOperations performed\n2014\nSpear-phishing maritime and defense targets\nProofpoint researchers are tracking an espionage actor targeting\norganizations and high-value targets in defense and government.\nActive since at least 2014, this actor has long-standing interest in\nmaritime industries, naval defense contractors, and associated research\ninstitutions in the United States and Western Europe.\nMay 2017\nTargeting UK-Based Engineering Company Using Russian APT\nTechniques\nEmployees of a U.K.-based engineering company were among the\ntargeted victims of a spear-phishing campaign in early July 2018. The\ncampaign also targeted an email address possibly belonging to a\nfreelance journalist based in Cambodia who covers Cambodian\npolitics, human rights, and Chinese development. We believe both\nattacks used the same infrastructure as a reported campaign by\nChinese threat actor TEMP.Periscope (also known as Leviathan),\nwhich targeted Cambodian entities in the run-up to their July 2018\nelections. Crucially, TEMP.Periscope’s interest in the U.K. engineering\ncompany they targeted dates back to attempted intrusions in May\n2017.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06\nPage 2 of 4\n\n2017\nThe current campaign is a sharp escalation of detected activity since\nsummer 2017. Like multiple other Chinese cyber espionage actors,\nTEMP.Periscope has recently re-emerged and has been observed\nconducting operations with a revised toolkit. Known targets of this\ngroup have been involved in the maritime industry, as well as\nengineering-focused entities, and include research institutes, academic\norganizations, and private firms in the United States.\nJul 2018\nTargeting Cambodia Ahead of July 2018 Elections\nFireEye has examined a range of TEMP.Periscope activity revealing\nextensive interest in Cambodia’s politics, with active compromises of\nmultiple Cambodian entities related to the country’s electoral system.\nThis includes compromises of Cambodian government entities\ncharged with overseeing the elections, as well as the targeting of\nopposition figures. This campaign occurs in the run up to the country’s\nJuly 29, 2018, general elections.\nJan 2020\nThe Malaysian Computer Emergency Response Team, a government-backed organization, said it had “observed an increase in [the] number\nof artifacts and victims involving a campaign against Malaysian\ngovernment officials.”\n2021\nParliamentary network breached by the PRC\nCounter operations Jul 2021\nFour Chinese Nationals Working with the Ministry of State Security\nCharged with Global Computer Intrusion Campaign Targeting\nIntellectual Property and Confidential Business Information, Including\nInfectious Disease Research\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06\nPage 3 of 4\n\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06"
	],
	"report_names": [
		"showcard.cgi?u=b106313a-d204-4d9f-866b-e750a98d0e06"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b9806584-4d82-4f32-ae97-18a2583e8d11",
			"created_at": "2022-10-25T16:07:23.787833Z",
			"updated_at": "2026-04-10T02:00:04.749709Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"APT 40",
				"ATK 29",
				"Bronze Mohawk",
				"G0065",
				"Gadolinium",
				"Gingham Typhoon",
				"ISLANDDREAMS",
				"ITG09",
				"Jumper Taurus",
				"Kryptonite Panda",
				"Mudcarp",
				"Red Ladon",
				"TA423",
				"TEMP.Jumper",
				"TEMP.Periscope"
			],
			"source_name": "ETDA:Leviathan",
			"tools": [
				"AIRBREAK",
				"Agent.dhwf",
				"Agentemis",
				"AngryRebel",
				"BADFLICK",
				"BlackCoffee",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"DADJOKE",
				"Dadstache",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"GRILLMARK",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEFRY",
				"Hellsing Backdoor",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LUNCHMONEY",
				"Living off the Land",
				"MURKYTOP",
				"Moudour",
				"Mydoor",
				"NanHaiShu",
				"Orz",
				"PCRat",
				"PNGRAT",
				"PlugX",
				"RedDelta",
				"SeDLL",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"cobeacon",
				"gresim",
				"scanbox"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2688d3efc336bc7e41529d56511b8372966f1c0a.pdf",
		"text": "https://archive.orkl.eu/2688d3efc336bc7e41529d56511b8372966f1c0a.txt",
		"img": "https://archive.orkl.eu/2688d3efc336bc7e41529d56511b8372966f1c0a.jpg"
	}
}