{ "id": "a5996432-3cbb-4739-8863-0c14b0d752f2", "created_at": "2026-04-06T00:12:10.44327Z", "updated_at": "2026-04-10T13:11:51.545679Z", "deleted_at": null, "sha1_hash": "db83049e73fff8406aeae37e3007f0c404c3303e", "title": "Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57382, "plain_text": "Suspected Chinese Cyber Espionage Group (TEMP.Periscope)\r\nTargeting U.S. Engineering and Maritime Industries | Mandiant\r\nBy Mandiant\r\nPublished: 2018-03-16 · Archived: 2026-04-05 12:41:02 UTC\r\nIntrusions Focus on the Engineering and Maritime Sector\r\nSince early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT\r\nIntelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities,\r\nespecially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese\r\ncyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as\r\n“Leviathan” by other security firms.\r\nThe current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese\r\ncyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations\r\nwith a revised toolkit. Known targets of this group have been involved in the maritime industry, as well as\r\nengineering-focused entities, and include research institutes, academic organizations, and private firms in the\r\nUnited States. FireEye products have robust detection for the malware used in this campaign.\r\nTEMP.Periscope Background\r\nActive since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple\r\nverticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices,\r\nand research universities. However, the group has also targeted professional/consulting services, high-tech\r\nindustry, healthcare, and media/publishing. Identified victims were mostly found in the United States, although\r\norganizations in Europe and at least one in Hong Kong have also been affected. TEMP.Periscope overlaps in\r\ntargeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps\r\nsignificantly with public reporting on “NanHaiShu.”\r\nTTPs and Malware Used\r\nIn their recent spike in activity, TEMP.Periscope has leveraged a relatively large library of malware shared with\r\nmultiple other suspected Chinese groups. These tools include:\r\nAIRBREAK: a JavaScript-based backdoor also reported as “Orz” that retrieves commands from hidden\r\nstrings in compromised webpages and actor controlled profiles on legitimate services.\r\nBADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and\r\nmodifying its command and control (C2) configuration.\r\nPHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and\r\ndrive listing; creating a reverse shell; performing screen captures; recording video and audio; listing,\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html\r\nPage 1 of 4\n\nterminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging\r\nkeystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying,\r\nmoving, reading, and writing to files.\r\nHOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with\r\nAIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware\r\naccepts up to two arguments at the command line: one to display cleartext credentials for each login\r\nsession, and a second to display cleartext credentials, NTLM hashes, and malware version for each login\r\nsession.\r\nLUNCHMONEY: an uploader that can exfiltrate files to Dropbox.\r\nMURKYTOP: a command-line reconnaissance tool. It can be used to execute files as a different user,\r\nmove, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks,\r\nscan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups,\r\nand shares on remote hosts.\r\nChina Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST\r\ncommands. This allows the shell to upload and download files, execute applications with web server\r\naccount permissions, list directory contents, access Active Directory, access databases, and any other action\r\nallowed by the .NET runtime.\r\nThe following are tools that TEMP.Periscope has leveraged in past operations and could use again, though these\r\nhave not been seen in the current wave of activity:\r\nBeacon: a backdoor that is commercially available as part of the Cobalt Strike software platform,\r\ncommonly used for pen-testing network environments. The malware supports several capabilities, such as\r\ninjecting and executing arbitrary code, uploading and downloading files, and executing shell commands.\r\nBLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites\r\nsuch as Github and Microsoft's Technet portal. Used by APT17 and other Chinese cyber espionage\r\noperators.\r\nAdditional identifying TTPs include:\r\nSpear phishing, including the use of probably compromised email accounts.\r\nLure documents using CVE-2017-11882 to drop malware.\r\nStolen code signing certificates used to sign malware.\r\nUse of bitsadmin.exe to download additional tools.\r\nUse of PowerShell to download additional tools.\r\nUsing C:\\Windows\\Debug and C:\\Perflogs as staging directories.\r\nLeveraging Hyperhost VPS and Proton VPN exit nodes to access webshells on internet-facing systems.\r\nUsing Windows Management Instrumentation (WMI) for persistence.\r\nUsing Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host\r\n(wscript.exe) to execute a Jscript backdoor for persistence.\r\nReceiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such\r\nas Github and Microsoft's TechNet portal.\r\nImplications\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html\r\nPage 2 of 4\n\nThe current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort\r\nto target sectors that may yield information that could provide an economic advantage, research and development\r\ndata, intellectual property, or an edge in commercial negotiations.\r\nAs we continue to investigate this activity, we may identify additional data leading to greater analytical confidence\r\nlinking the operation to TEMP.Periscope or other known threat actors, as well as previously unknown campaigns.\r\nIndicators\r\nFile Hash Description\r\nx.js 3fefa55daeb167931975c22df3eca20a HOMEFRY, a 64-bit Windows password dumper/cracker\r\nmt.exe 40528e368d323db0ac5c3f5e1efe4889 MURKYTOP, a command-line reconnaissance tool\r\ncom4.js a68bf5fce22e7f1d6f999b7a580ae477\r\nAIRBREAK, a JavaScript-based backdoor which\r\nretrieves commands from hidden strings in compromised\r\nwebpages\r\nHistorical Indicators\r\nFile Hash Description\r\ngreen.ddd 3eb6f85ac046a96204096ab65bbd3e7e\r\nAIRBREAK, a\r\nJavaScript-based\r\nbackdoor which\r\nretrieves\r\ncommands from\r\nhidden strings in\r\ncompromised\r\nwebpages\r\nBGij 6e843ef4856336fe3ef4ed27a4c792b1\r\nBeacon, a\r\ncommercially\r\navailable\r\nbackdoor\r\nmsresamn.ttf a9e7539c1ebe857bae6efceefaa9dd16\r\nPHOTO, also\r\nreported as\r\nDerusbi\r\n1024-\r\naa6a121f98330df2edee6c4391df21ff43a33604\r\nbd9e4c82bf12c4e7a58221fc52fed705 BADFLICK,\r\nbackdoor that is\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html\r\nPage 3 of 4\n\ncapable of\r\nmodifying the\r\nfile system,\r\ngenerating a\r\nreverse shell, and\r\nmodifying its\r\ncommand-and-control\r\nconfiguration\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industr\r\nies.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "report_names": [ "suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db83049e73fff8406aeae37e3007f0c404c3303e.pdf", "text": "https://archive.orkl.eu/db83049e73fff8406aeae37e3007f0c404c3303e.txt", "img": "https://archive.orkl.eu/db83049e73fff8406aeae37e3007f0c404c3303e.jpg" } }