THREATOPS Actor Dossier
LIVE ← Dashboard

Leviathan

G00651 reports
aliases · Leviathan · MUDCARP · Kryptonite Panda · Gadolinium · BRONZE MOHAWK · TEMP.Jumper · APT40 · TEMP.Periscope · Gingham Typhoon
Export dossier:
1
Reports
1
Techniques
1
Tactics
3
Countries
100%
Hunt coverage
9
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1684 (Social Engineering).
  • Primary targeting: US, IN, BR.
  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Hunt coverage 100% of 1 observed techniques (0 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2025-10-30 · last 2025-10-30
0
7d
0
30d
0
90d
1
All
0.0
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1684

Overview

Analyst triage
Intelligence summary

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA Leviathan 2024)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected