{ "id": "7e4639cc-a195-417e-ac3e-a6fc01c7dfaf", "created_at": "2026-04-06T00:15:59.987764Z", "updated_at": "2026-04-10T13:13:03.752312Z", "deleted_at": null, "sha1_hash": "b317067cb02861b759b11a2d8e14f8d0be0199e0", "title": "Leviathan: Espionage Actor Targets Defense \u0026 Government | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1571060, "plain_text": "Leviathan: Espionage Actor Targets Defense \u0026 Government |\r\nProofpoint US\r\nBy October 16, 2017 Axel F, Pierre T\r\nPublished: 2017-10-17 · Archived: 2026-04-05 15:00:30 UTC\r\nOverview\r\nProofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and\r\ngovernment. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense\r\ncontractors, and associated research institutions in the United States and Western Europe.\r\nKey takeaways from this research include:\r\nIndustry targeting: The actor targets defense contractors, universities (particularly those with military research\r\nties), legal organizations [3] and government agencies [3]. The actor has particular interest in naval industries\r\nincluding shipbuilding and related research\r\nGeographical targeting: Targeting includes United States, Western Europe, and South China Sea\r\nTools: Custom JavaScript malware known as “Orz” and “NanHaiShu”, Cobalt Strike, the SeDll JavaScript loader,\r\nand MockDll dll loader\r\nDelivery: Emailed attachments and URLs, often employing a fraudulent lookalike domain and stolen branding\r\nExploitation: Microsoft Excel and Word documents with macros (sometimes password-protected), very recent\r\nvulnerabilities such as CVE-2017-0199 and CVE-2017-8759, and malicious Microsoft Publisher files\r\nInstallation: JavaScript, JavaScript Scriptlets in XML, HTA, PowerShell, WMI, regsvr32, Squiblydoo\r\nLateral Movement: The actor sometimes utilizes access at one compromised organization to attack the next. For\r\nexample, compromised email accounts at one organization were used to send the next wave of malicious\r\nattachments to potential victims in the same industry. Similarly the actor attempts to compromise servers within\r\nvictim organizations and use them for command and control (C\u0026C) for their malware.\r\nThis blog traces key activities connected to this actor and examines a number of their tools and techniques. Campaigns\r\nand details are presented in reverse chronological order to highlight the group’s most recent activities.\r\nDelivery and Exploitation\r\nSeptember 2017\r\nOn September 15 and 19, 2017, Proofpoint detected and blocked spearphishing emails from this group targeting a US\r\nshipbuilding company and a US university research center with military ties. Example emails used the subject “Apply for\r\ninternship position” and contained an attachment “resume.rtf”. Another attachment, “ARLUAS_FieldLog_2017-08-\r\n21.doc” contained a “Torpedo recovery experiment” lure. The attachments exploited CVE-2017-8759 which was\r\ndiscovered and documented only five days prior to the campaign [1].\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 1 of 14\n\nFigure 1: Example attachment resume.rtf from September 2017 campaign\r\nAugust 2017\r\nBetween August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to documents\r\nto multiple defense contractors. Some of this activity was documented and observed by a fellow researcher [2]. Many of\r\nthe documents, C\u0026C domains, and payload domains abused the brand of a major provider of ships, submarines, and\r\nother vessels with military applications. Some of the documents exploited CVE-2017-0199 to deliver the payload.\r\nFigure 2: One of the documents involved in the campaign used Microsoft licensing lures purporting to be from a well-known shipbuilder (sha256: 6f6ee01e9dc2d8c4c260ef4131fe88dc152e53ee8afd3e66e92d4e1bf5fd2e92).\r\nOther documents were Microsoft Publisher files that relied on social engineering. The potential victims were lured into\r\nstarting an embedded PowerPoint presentation, moving the mouse to trigger execution of an embedded JavaScript [5],\r\nand then pressing “Enable” in a warning dialog to cause the payload download. The Publisher files were poorly crafted,\r\nrelied on multiple user interactions, and contained multiple grammatical and typographic errors.\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 2 of 14\n\nFigure 3: Publisher document delivered via a link in email is in Italian, and is a simple reuse of a student’s work.\r\nFebruary 2015\r\nFrom February to October of 2015, our colleagues at F-Secure and McAfee reported on campaigns [3][4] by this actor\r\ntargeting South China Sea interests. During this time, the group utilized Microsoft Excel and Word documents with\r\nmacros to target the Philippines Department of Justice, APEC organizers, and an international law firm. Targeting of\r\nthese companies is different from that which we typically observe for this actor; however it still centers around marine\r\nand naval issues as related to South China sea politics.\r\nFigure 4: Example attachment “DOJ Staff bonus  January 13, 2015.xls”. Similar to this document attachment, most of\r\nthe attachments in this campaign did not contain meaningful content\r\nNovember 2014\r\nThe period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed\r\npersistent exploitation attempts by this actor. The actor generally emailed Microsoft Excel documents with malicious\r\nmacros to US universities with military interests, most frequently related to the Navy. The actor also occasionally used\r\nmacro-laden Microsoft Word documents to target other US research and development organizations with military and\r\nintelligence ties during this period.\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 3 of 14\n\nEmails were often very simple with a greeting and an attachment. On other occasions, it appears that the attackers used\r\nhighly topical lures based on current events or legitimate documents stolen from previous victims. Lure topics included\r\nsymposia, the Navy, IT, and relevant research.\r\nFigure 5: Example Excel attachment “2014 Accomplishments Input Template.xls”\r\nInstallation\r\nThe actor continues to:\r\nInnovate and modify the code that accomplishes the installation, while the backdoor code remains more static\r\nUse scripting languages such as JavaScript, JavaScript Scriptlets, VBScript, and XML\r\nUse simple obfuscation such as base64, gzip compression, and insertion of garbage characters\r\nSplit functionality of the backdoor \u0026 code that establishes persistence for the backdoor into separate files and\r\nscripts\r\nExample 1: Resume.rtf\r\nThe “resume.rtf” file from the September 19, 2017 attack retrieves the malicious SOAP WSDL definition named\r\n“readme.txt “ using an anonymous FTP logon to the attacker’s server.\r\nFigure 6: SOAP WSDL definition (“readme.txt “)\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 4 of 14\n\nThis definition in turn downloads a VBScript favicon.ico file, which then creates and runs two JavaScript files in the\r\n%TMP% directory:\r\nFigure 7: Code snipped showing VBScript dropping 2 JavaScript files\r\nThe job of the smaller of the two JavaScripts is to establish a system autostart mechanism. It accomplishes this by\r\ndeobfuscating another script, link.js, into %TMP%. Link.js in turn creates a shortcut  file \"Java(TM) Platform SE Auto\r\nUpdater.lnk\" in the \"Startup\" special folder pointing to the main backdoor JavaScript.\r\nFigure 8: Code for establishing persistence after reboot (autostart mechanism)\r\nThe job of the larger of the two JavaScripts is to download and execute the Cobalt Strike payload. It accomplishes this by\r\nwriting more code to rWug5n0PHUFjDFyb8k.js in the temporary directory, which then runs a PowerShell command\r\n(obfuscated using garbage characters, base64 encoding, and Gzip compression). The PowerShell is a default Cobalt\r\nStrike downloader.\r\nFigure 9: PowerShell code downloading Cobalt Strike\r\nExample 2: Malicious Microsoft Publisher document\r\nThe malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file, 0.js, hosted\r\non the attacker-controlled server:\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 5 of 14\n\nFigure 10: Malicious script executed by the Microsoft Publisher file (sha256:\r\n305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc)\r\nSimilar to the previous example (resume.rtf), the 0.js handles the system autostart mechanism via a shortcut file \"office\r\n365.lnk\" in the \"Startup\" special folder. However, the shortcut abuses the “Squiblydoo” technique [6]. Moreover, the\r\nbackdoor is not run directly but via an intermediary SeDll (see below).\r\n0.js also downloads two additional files from the C\u0026C server (green.ddd and green.tmp) The first of these files,\r\ngreen.ddd, is an executable file internally named “SEDll_Win32.dll”. This is a known backdoor used by this actor since\r\n2014 for the same purpose: decrypting and executing the final JavaScript backdoor “Orz”.\r\nTools\r\nNanHaiShu\r\nWe have observed variants of this JavaScript backdoor used in various campaigns, including those publically reported.\r\nThe actor continues to improve and refine the malware by, for example, wrapping it inside an HTA wrapper. Several\r\ngood descriptions are available  in analyses from fellow researchers [3][4]. Basic functionality includes:\r\nInformation gathering (computer name, user name, serial number, proxy server)\r\nDownloading from URL\r\nExecuting other JavaScript\r\nRegistry, system, process, directory, file operations\r\nSafeIE (change IE settings to reduce warnings about about malware activity)\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 6 of 14\n\nFigure 11: Screenshot from 2015 version of the malware dropped by “DOJ Staff bonus January 13, 2015.xls”\r\nOrz\r\nWe observed this backdoor in an August 2017 campaign dropped by the Microsoft Publisher files, as well as much earlier\r\nin 2014. We named it due to a variable name “orz”, which is changed to “core” in the more recent version. The actor\r\nconsistently tweaks and improves this backdoor as well. The backdoor is a fairly involved script malware. Its\r\nfunctionality includes:\r\nInformation gathering (IE version, OS version, OS 64-bit/32-bit, etc)\r\nOverwriting registry settings to reduce malware visibility on system\r\nDownload file\r\nUpload file\r\nExecute a command with cscript\r\nExecute JavaScript\r\nExecute shell command\r\nExecute a dll (via an embedded ‘MockDll')\r\nGet proxy info\r\nGet process list\r\nTerminate process\r\nGet drive info\r\nGET request to a URL\r\nPOST request to a URL\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 7 of 14\n\nFigure 12: Snippet of the Orz backdoor code delivered by the the Microsoft Publisher document. The URL domain is a\r\nfraudulent lookalike domain.\r\nThere is an extensive configuration section at the top of the script. The \"jmpUrlList\" provides the initial C\u0026C servers,\r\nwhich are used to determine the secondary C\u0026C server as well as additional commands to execute. It is worth noting that\r\nthe secondary C\u0026C may be the same as the first. We have observed attacker-controlled web servers, compromised victim\r\nweb servers, and Technet and Pastebin web pages used for the initial C\u0026C.\r\nThe initial C\u0026C response is parsed with a regex. The backdoor first looks for the secondary encoded C\u0026C server using\r\nthe \"jmpRegex\" regex. Next, the backdoor looks for additional code to execute using the \"codeRegex\" regex. For\r\nadditional code, we observed simple code blocks that provide a different upload/download functionality.\r\nFigure 13: The encoded response \"vcmQx3ELgTyTyOVSvsm7wrBKwraFw8VFwCuL\" in the image above decodes to\r\n\"hxxp://www.vitaminmain[.]info\" which is the secondary C\u0026C server for an older backdoor variant (Decoder provided\r\nin Appendix).\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 8 of 14\n\nMockDll\r\nSome versions of the Orz backdoor have 32- and 64-bit embedded DLLs, stored internally as base64 strings. Their\r\npurpose is to simply run another binary. These are used as loaders for future executable payloads, using the well-known\r\nprocess hollowing technique. To use the MockDll, the backdoor creates a configuration .ini file like that shown in Figure\r\n14:\r\nFigure 14: MockDll configuration file\r\nmock: defaults to 'regsvr32'\r\nreal: the dll, which is the ultimate goal to execute\r\nargs: arguments to the dll that will be executed, if any\r\noutf: file in which to write results of the MockDll run\r\ntime: timeout defaults to 5\r\nAfter the configuration file is created, the MockDll is executed with regsvr32. MockDll reads the mentioned .ini config\r\nfile to determine what to execute. It can log its execution results into a file specified by the “outf” parameter, as shown in\r\nFigure 15:\r\nFigure 15: Contents of the log file created by MockDll\r\nSeDll\r\nThis DLL is used for decrypting and executing another JavaScript backdoor such as Orz. The DLL is registered by the\r\ninstaller using regsvr32. The DllRegisterServer export is then called, which performs checks on the commandline\r\nparameter. If the string “DR” is passed as an argument, or if the DLL is running in the active session with a username\r\nthat is not “system”, the final JavaScript backdoor is decoded using a custom base64 alphabet. This backdoor has to be\r\npresent in the same directory as the dll, with a “.tmp” file extension. The backdoor script is then executed using the\r\nIActiveScript and IActiveScriptParse32 COM interfaces.\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 9 of 14\n\nFigure 16: Decoding and executing of the JavaScript backdoor\r\nIf those conditions are not met, it runs the following command line “\"regsvr32 /s \\\"%s\\\" DR __CIM__\"” to register the\r\nDLL, where %s is the path to the DLL. It tries to do this with the current user privileges, but if the privileges cannot be\r\nadjusted it defaults to the available execution environment.\r\nCobalt Strike\r\nThis is a penetration testing tool. The attackers often abuse the free trial version.\r\nConclusion\r\nThis actor, whose espionage activities primarily focus on targets in the US and Western Europe with military ties, has\r\nbeen active since at least 2014. The tools, techniques, and targets consistently connect their work, particular given their\r\nattention to naval and maritime defense interests and use of custom backdoors. While defense contractors and academic\r\nresearch centers with military ties should always be cognizant of the potential for cyberattacks, organizations fitting their\r\ntargeting profiles should be especially wary of legitimate-looking but unsolicited emails from outside entities.\r\nAppropriate layered defenses at the firewall, email gateway, and endpoint can all help prevent the kinds of lateral\r\nmovement we have observed with this actor, as well as the compromise and abuse of systems via which this group\r\nexpands its attack surface to other organizations.\r\nReferences\r\n[1] https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\n[2] https://twitter.com/James_inthe_box/status/893525493059788800\r\n[3] https://labsblog.f-secure.com/2016/08/04/nanhaishu-rating-the-south-china-sea/\r\n[4] https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering\r\n[5] http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/\r\n[6] https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 10 of 14\n\nIOC\r\nIOC\r\nType\r\nDescription\r\ncdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f SHA256\r\nResume.rtf exploiting\r\nCVE-2017-8759 (Sep 19,\r\n2017)\r\nc7fa6f27ec4f4142ae591f2dd7c63d046431945f03c87dbed88d79f55180a46d SHA256\r\nARLUAS_FieldLog_2017-\r\n08-21.doc exploiting CVE-2017-8759 (Sep 19, 2017)\r\nftp://185.106.120[.]206/pub/readme.txt URL\r\nResume.rtf downloading\r\nscripts (Sep 19, 2017)\r\nhxxp://185.106.120[.]206/favicon.ico URL\r\nResume.rtf downloading\r\nscripts (Sep 19, 2017)\r\n39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36 SHA256 Favicon.ico (Sep 19, 2017)\r\n5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362 SHA256\r\nCobalt Strike (Sep 19,\r\n2017)\r\nced7ca9625543d3d3d09f70223cc19f0d99e21792854452df5ba84b3a59d17b8 SHA256\r\n20170720_final_pm_app-2.doc (August\r\n2017)Document hash\r\n(August 2017)\r\n305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc SHA256\r\nPublisher hash (August\r\n2017)\r\nbfc5c6817ff2cc4f3cd40f649e10cc9ae1e52139f35fdddbd32cb4d221368922 SHA256\r\nMockDll 32-bit (August\r\n2017)\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 11 of 14\n\n80b931ab1798d7d8a8d63411861cee07e31bb9a68f595f579e11d3817cfc4aca SHA256\r\nMockDll 32-bit (August\r\n2017)\r\n146aa9a0ec013aa5bdba9ea9d29f59d48d43bc17c6a20b74bb8c521dbb5bc6f4 SHA256\r\ngreen.ddd SeDll (August\r\n2017)\r\n4029b43c7febd05e8bf013c1022244aaa238341ca44bbce2250667614c1a4932 SHA256\r\n2014 Accomplishments\r\nInput Template.xls\r\n(December 2014)\r\nhxxp://www.vitaminmain[.]info URL\r\nOrz secondary C2\r\n(December 2014)\r\nET and ETPRO Suricata/Snort Coverage\r\n2024192 | ET EXPLOIT Possible CVE-2017-0199 HTA Inbound\r\n2024196 | ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199\r\n2022520 | ET POLICY Possible HTA Application Download\r\n2024197 | ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE-2017-0199)\r\n2024449 | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl\r\n2814013 | ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert\r\n2023629 |  ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\n2810628 | ETPRO TROJAN JavaScript Backdoor CnC Beacon M2 (b64 3)\r\n2828317 | ETPRO TROJAN Orz JavaScript Backdoor Communicating with CnC\r\n2828316 | ETPRO TROJAN Orz JavaScript Backdoor Sending Password to CnC\r\nAppendix: Orz Traffic Decoder\r\nvar _keyStr = \"oMZF/W42VkcCbqOiPSajhnKtQws8NRAxr16XJpu=0mgE3THGLlvz9+5BDYd7feyUI\";\r\nfunction decode (input) {\r\n                        var output = \"\";\r\n                        var chr1, chr2, chr3;\r\n                        var enc1, enc2, enc3, enc4;\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 12 of 14\n\nvar i = 0;\r\n                        input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, \"\");\r\n                        while (i \u003c input.length) {\r\n                                    enc1 = this._keyStr.indexOf(input.charAt(i++));\r\n                                    enc2 = this._keyStr.indexOf(input.charAt(i++));\r\n                                    enc3 = this._keyStr.indexOf(input.charAt(i++));\r\n                                    enc4 = this._keyStr.indexOf(input.charAt(i++));\r\n                                    chr1 = (enc1 \u003c\u003c 2) | (enc2 \u003e\u003e 4);\r\n                                    chr2 = ((enc2 \u0026 15) \u003c\u003c 4) | (enc3 \u003e\u003e 2);\r\n                                    chr3 = ((enc3 \u0026 3) \u003c\u003c 6) | enc4;\r\n                                    output = output + String.fromCharCode(chr1);\r\n                                    if (enc3 != 64) {\r\n                                                output = output + String.fromCharCode(chr2);\r\n                                    }\r\n                                    if (enc4 != 64) {\r\n                                                output = output + String.fromCharCode(chr3);\r\n                                    }\r\n                        }\r\n                        output = this._utf8_decode(output);\r\n                        return output;\r\n            }\r\nfunction _utf8_decode (utftext) {\r\n                        var string = \"\";\r\n                        var i = 0;\r\n                        var c = c1 = c2 = 0;\r\n                        while ( i \u003c utftext.length ) {\r\n                                    c = utftext.charCodeAt(i);\r\n                                    if (c \u003c 128) {\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 13 of 14\n\nstring += String.fromCharCode(c);\r\n                                                i++;\r\n                                    } else if((c \u003e 191) \u0026\u0026 (c \u003c 224)) {\r\n                                                c2 = utftext.charCodeAt(i+1);\r\n                                                string += String.fromCharCode(((c \u0026 31) \u003c\u003c 6) | (c2 \u0026 63));\r\n                                                i += 2;\r\n                                    } else {\r\n                                                c2 = utftext.charCodeAt(i+1);\r\n                                                c3 = utftext.charCodeAt(i+2);\r\n                                                string += String.fromCharCode(((c \u0026 15) \u003c\u003c 12) | ((c2 \u0026 63) \u003c\u003c 6) | (c3 \u0026 63));\r\n                                                i += 3;\r\n                                    }\r\n                        }\r\n                        return string;\r\n            }\r\nvar decodeme =\r\n\"s2S9NF0GCBRBRvY9s2pzN5nHsBk+N2oT8KWvsKYpNBpzR4nTNvYGNuNdOFoDbZeTQtkm8unzAtq9wK+zCLII\"\r\nvar res = decode(decodeme);\r\ndocument.write(res);\r\nSource: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nhttps://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" ], "report_names": [ "leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b317067cb02861b759b11a2d8e14f8d0be0199e0.pdf", "text": "https://archive.orkl.eu/b317067cb02861b759b11a2d8e14f8d0be0199e0.txt", "img": "https://archive.orkl.eu/b317067cb02861b759b11a2d8e14f8d0be0199e0.jpg" } }