>samit_hota
Back to adversary profiles
G0065HighActive

Leviathan (APT40): China's Persistent Maritime Espionage Group

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intellectual Property Theft, Geopolitical Influence, Naval Modernization
Aliases
MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Target Sectors
Government, Maritime, Defense, Aerospace/Aviation, Academia, Biomedical, Healthcare, Manufacturing, Transportation, Engineering, Telecommunications, Technology
Associated Malware
AIRBREAK, BADFLICK, PHOTO, China Chopper, NanHaiShu, PlugX, ZXShell, Cobalt Strike, HOMEFRY, LUNCHMONEY, MURKYTOP, MURKYSHELL, Nova JSP, Horizon JSP, SeDll
#threat-actor#g0065

Overview

Leviathan, also known as APT40 (G0065), is a highly sophisticated and persistent Chinese state-sponsored cyber espionage group with a long operational history dating back to at least 2009. The group has been explicitly linked to the Ministry of State Security’s (MSS) Hainan State Security Department, operating out of Haikou, Hainan Province, often leveraging an affiliated front company, Hainan Xiandun Technology Development Co., Ltd..

This threat actor is primarily motivated by cyber espionage, aiming to collect intelligence, proprietary technologies, and confidential communications to support China’s national security, economic interests, and strategic objectives, particularly its naval modernization efforts and interests in the South China Sea and the Belt and Road Initiative. Leviathan targets a diverse array of sectors globally, including government entities (often critical infrastructure and law enforcement), maritime industries, defense contractors, aerospace/aviation, academia, biomedical and healthcare institutions, manufacturing, and transportation. Geographically, their operations span the United States, Canada, Australia, Europe (including the UK, Germany, Belgium, and Norway), the Middle East, Southeast Asia (with a strong focus on South China Sea claimants and Pacific Island nations), Japan, and South Korea. The group is recognized for its adaptability and resourcefulness, consistently evolving its tactics, techniques, and procedures (TTPs) in response to defensive measures.

Tactics & Techniques

Leviathan employs a wide spectrum of TTPs to achieve its objectives, demonstrating a systematic and methodical approach to cyber espionage rather than relying on opportunistic attacks.

Initial access is frequently gained through spear-phishing campaigns, utilizing malicious attachments (often macro-enabled Office documents), links to legitimate cloud services like Google Drive, or hyperlinks pointing to malicious sites. These emails are meticulously crafted with social engineering lures to trick high-profile targets in government and defense sectors. The group also extensively exploits vulnerabilities in public-facing infrastructure, such as web servers, VPNs, remote desktop services, and custom web applications. A hallmark of Leviathan’s operations is its ability to rapidly weaponize newly disclosed vulnerabilities, often exploiting proof-of-concept (POC) code within hours or days of public release. Notable vulnerabilities exploited include those in Log4J, Atlassian Confluence, and Microsoft Exchange, among others. Watering hole attacks and strategic web compromises have also been observed as initial compromise vectors.

Once a foothold is established, Leviathan maintains persistence through various means, including deploying web shells (such as China Chopper, Nova JSP, and Horizon JSP), custom backdoors, and Remote Access Trojans (RATs). They have also used executables signed with stolen code-signing certificates to evade detection and created shortcut files in the Windows Startup folder. For privilege escalation and lateral movement, the group targets VPN and remote desktop credentials, employing credential harvesting tools like HOMEFRY and leveraging native Windows utilities such as Windows Credential Editor or ProcDump. Lateral movement often involves SMB/Windows Admin Shares, RDP, SSH, custom scripts, and various tunnelers.

Leviathan conducts extensive reconnaissance on target networks, utilizing open-source scanners, custom scripts, and command-line tools like MURKYTOP and MURKYSHELL to discover network machines, enumerate services, and identify vulnerable or end-of-life devices. Data collection involves identifying and exfiltrating military intelligence, proprietary technologies, and confidential communications. Before exfiltration, data is typically staged in directories like C:\Windows\Debug or C:\Perflogs, compressed (often using rar.exe), and sometimes encrypted. Exfiltration occurs over command and control (C2) channels, encrypted channels, FTP, or legitimate cloud services such as Dropbox (via LUNCHMONEY) and Microsoft OneDrive.

For defense evasion, Leviathan employs techniques like using code-signing certificates, leveraging legitimate web services (e.g., GitHub, Google, Pastebin) for C2 communications, and abusing Microsoft cloud services (like Azure AD applications and OneDrive) to blend malicious traffic with legitimate activity. The group also uses compromised small-office/home-office (SOHO) devices as proxies and last-hop redirectors to obfuscate their true origin. C2 traffic is often base64-encoded and compressed with aPLib to further evade detection. They have also been observed placing legitimate system tools (e.g., PuTTY, cmd.exe) in non-standard folders to carry out malicious activity.

Notable Campaigns

Leviathan has been implicated in numerous significant cyber incidents:

In April 2020, Microsoft identified and subsequently took down 18 Azure Active Directory applications used by Leviathan (tracked as Gadolinium by Microsoft) as part of their command and control infrastructure. This followed a COVID-19 themed spear-phishing campaign that delivered PowerShell-based malware payloads and utilized Azure AD apps to exfiltrate data to actor-controlled Microsoft OneDrive storage.

In July 2021, the U.S. Department of Justice unsealed an indictment against four Chinese nationals associated with Hainan Xiandun Technology Development Co., Ltd. for their involvement in a global computer intrusion campaign conducted between 2011 and 2018. The charges highlighted the theft of trade secrets and intellectual property from various sectors, including aviation, defense, education, government, healthcare, and maritime, across multiple countries.

Australian authorities, in conjunction with international allies, issued a joint advisory in June 2025 detailing Leviathan’s persistent targeting of Australian networks. Specific incidents included the compromise of an organization’s network and subsequent data exfiltration between July and September 2022, and the theft of hundreds of usernames and passwords from another Australian entity in April 2022.

In March 2024, the New Zealand Government publicly accused the Chinese government, via APT40, of breaching its parliamentary network in 2021. More recently, the Samoa National Computer Emergency Response Team (SamCERT) issued an advisory in February 2025, detailing Leviathan’s specific campaigns targeting sensitive networks in the “Blue Pacific” region, noting their use of compromised SOHO devices and stealthy fileless malware with novel registry loading techniques.

Associated Malware & Tools

Leviathan utilizes a mix of custom-developed malware, publicly available tools, and commercial penetration testing kits to execute their operations:

  • Backdoors/RATs: The group extensively uses proprietary backdoors such as AIRBREAK (also known as Orz), BADFLICK, and PHOTO. Other backdoors include FRESHAIR, BEACON, SEASALT, ZoxPNG (BlackCoffee), NanHaiShu, PlugX, and ZXShell. They also employ JavaScript-based backdoors that retrieve commands from hidden strings or DLLs like SeDll to decrypt and execute other payloads.
  • Web Shells: Web shells are a favored tool for initial access and persistence, with China Chopper being a frequently observed example. Others include Nova JSP and Horizon JSP.
  • Credential Theft: For credential harvesting and password dumping, Leviathan uses tools like HOMEFRY, along with legitimate utilities such as Windows Credential Editor and ProcDump. They also employ brute-force tools like DISHCLOTH.
  • Reconnaissance & Utilities: Command-line reconnaissance tools like MURKYTOP and malware capable of network enumerations and port scanning, such as MURKYSHELL, are used. They also leverage native Windows tools like net.exe and at.exe.
  • Commercial & Open-Source Tools: The group frequently incorporates commercial penetration testing tools like Cobalt Strike and BITSAdmin for downloading additional tools. They are proficient in using PowerShell and Visual Basic scripts for execution and have adapted various open-source toolkits to obfuscate their activity and make tracking more difficult. Compression and encryption of exfiltrated data are commonly performed using rar.exe.

Current Status

Leviathan remains an active, resourceful, and formidable adversary, consistently observed conducting malicious cyber operations in 2024 and 2025. They maintain an ongoing pattern of regular reconnaissance against networks of interest, particularly those in Western countries, Australia, and the Blue Pacific region. The group continues to demonstrate a rapid capability to weaponize publicly disclosed vulnerabilities, often exploiting them within hours or days of their release, forcing organizations into a constant “patching race”. Their tactics continue to evolve, with recent observations highlighting the use of stealthy fileless malware and the exploitation of compromised small-office/home-office (SOHO) devices as operational infrastructure to mask their activities. Organizations in the targeted sectors, particularly those involved in maritime security, defense manufacturing, logistics, and policy research, should anticipate continued high levels of activity from Leviathan in the coming months and years as geopolitical tensions persist.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call