{
	"id": "965e249e-4bc7-43ce-8280-73e253ac2df8",
	"created_at": "2026-04-06T00:20:02.87289Z",
	"updated_at": "2026-04-10T03:38:01.825522Z",
	"deleted_at": null,
	"sha1_hash": "c8bf814c658e9b5814ffa4ea761c3df778f1d0d9",
	"title": "Hainan Xiandun Technology Company is APT40",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1216377,
	"plain_text": "Hainan Xiandun Technology Company is APT40\r\nBy intrusiontruth\r\nPublished: 2020-01-15 · Archived: 2026-04-05 16:53:27 UTC\r\nYou knew where this was heading.\r\nIn our previous articles we identified a constellation of front companies for APT activity in Hainan and a computer\r\nscience specialist at Hainan University who is linked to one of the companies. We named the individuals that we\r\ncould identify as working for these companies, including one that we know to be Hainan resident Ding Xiaoyang\r\nwho had used his telephone number on a job advert using the name ‘Mr Chen’.\r\nHaving identified a network of interlinked technology and information security companies in Hainan, looking at\r\nother job adverts posted by the companies is illuminating…\r\nSouth China Sea Penetration (Testing)\r\nConsidering these are high-tech companies advertising for penetration testers, software development engineers,\r\nand network engineers, of course the logical next set of job adverts that we expected to find were for … specialist\r\ntranslators?\r\nHainan Xiandun posted multiple adverts for English translators between 2014 and 2018, such as this one on the\r\nHainan University website:\r\nHainan Xiandun advert looking for English translators\r\nAn English language translation service in-house at a high-tech firm may meet a legitimate business need. Less\r\nlikely is for a Hainan technology firm to need its own in-house Cambodian linguists. But, in March and April\r\nhttps://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40\r\nPage 1 of 4\n\n2018, Hainan Xiandun was recruiting Cambodian linguists to join their team. Remember those dates, they will be\r\nimportant later.\r\nHainan Xiandun advert looking for Cambodian linguists in early 2018\r\nAdditionally, a spreadsheet published by the Shanghai International Studies University shows that Hainan\r\nTengyuan was advertising for Indonesian and English translators.\r\nAnd of course let’s not forget Sugar, who we previously identified as a Vietnamese translator at Hainan Kehua.\r\nAPT40\r\nWhich brings us to this report by FireEye on TEMP.Periscope, also know as APT40.\r\nFireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s\r\npolitics, with active compromises of multiple Cambodian entities related to the country’s electoral\r\nsystem. This includes compromises of Cambodian government entities charged with overseeing the\r\nelections, as well as the targeting of opposition figures. This campaign occurs in the run up to the\r\ncountry’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of\r\nactivity against other more traditional targets, including the defense industrial base in the United States\r\nand a chemical company based in Europe. Our previous blog post focused on the group’s targeting of\r\nengineering and maritime entities in the United States.\r\nThe report shows a world map highlighting the targets of APT40. This includes a number of English speaking\r\ncountries, Indonesia, Vietnam, and Cambodia.\r\nhttps://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40\r\nPage 2 of 4\n\nAPT40 conducted a series of compromises of Cambodian targets in the run up to the July 2018 Cambodian\r\nelection. Did you remember those dates? Between March and April 2018 Hainan Xiandun, a front company with\r\nspecialist network and penetration engineers, was recruiting Cambodian linguists.\r\n112[.]66[.]188[.]28\r\nFireEye have also reported that APT40 actors are based in China, using computers configured with Chinese\r\nlanguage settings.\r\nThis report also shows APT40 using IP address 112[.]66[.]188[.]28 which resolves to, guess where, Hainan.\r\nhttps://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40\r\nPage 3 of 4\n\nSo what?\r\nMr Ding and Mr Gu could be busy Hainan based individuals simultaneously running multiple companies that\r\nhave specialisms spanning from penetration testing and software development to the translation of Cambodian\r\nguidebooks and Indonesian literature.\r\nBut they aren’t.\r\nHainan Xiandun Technology Development Company is APT40.\r\nHainan Xiandun, and the other front companies that we have identified, recruit hackers to compromise\r\noverseas targets and linguists to help them with their attacks and translate their stolen material. Industry\r\nreporting shows APT40 has used an IP address in Hainan and attacked South East Asian targets.\r\nMr Gu brings the academic links, but what does Mr Ding bring?\r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nPost navigation\r\nSource: https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40\r\nhttps://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40"
	],
	"report_names": [
		"hainan-xiandun-technology-company-is-apt40"
	],
	"threat_actors": [
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b9806584-4d82-4f32-ae97-18a2583e8d11",
			"created_at": "2022-10-25T16:07:23.787833Z",
			"updated_at": "2026-04-10T02:00:04.749709Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"APT 40",
				"ATK 29",
				"Bronze Mohawk",
				"G0065",
				"Gadolinium",
				"Gingham Typhoon",
				"ISLANDDREAMS",
				"ITG09",
				"Jumper Taurus",
				"Kryptonite Panda",
				"Mudcarp",
				"Red Ladon",
				"TA423",
				"TEMP.Jumper",
				"TEMP.Periscope"
			],
			"source_name": "ETDA:Leviathan",
			"tools": [
				"AIRBREAK",
				"Agent.dhwf",
				"Agentemis",
				"AngryRebel",
				"BADFLICK",
				"BlackCoffee",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"DADJOKE",
				"Dadstache",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"GRILLMARK",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEFRY",
				"Hellsing Backdoor",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LUNCHMONEY",
				"Living off the Land",
				"MURKYTOP",
				"Moudour",
				"Mydoor",
				"NanHaiShu",
				"Orz",
				"PCRat",
				"PNGRAT",
				"PlugX",
				"RedDelta",
				"SeDLL",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"cobeacon",
				"gresim",
				"scanbox"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434802,
	"ts_updated_at": 1775792281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8bf814c658e9b5814ffa4ea761c3df778f1d0d9.pdf",
		"text": "https://archive.orkl.eu/c8bf814c658e9b5814ffa4ea761c3df778f1d0d9.txt",
		"img": "https://archive.orkl.eu/c8bf814c658e9b5814ffa4ea761c3df778f1d0d9.jpg"
	}
}