APT40

APT40

Introduction

APT40 is a sophisticated, established cyber espionage organization that has been active for over 15 years and is widely believed to have ties to the People’s Republic of China (PRC).  Throughout its existence, the group has consistently targeted organizations in the maritime, naval, and defense sectors and has been focused on entities with links to the South China Sea, Indo-Pacific security, and international naval logistics.  With over a decade of consistent cyber operation experience, APT40 has developed a distinct set of trading practices; a systematic approach to gathering intelligence, and a definite alignment to Chinese military and strategic priorities.

APT40 operates under a variety of aliases including ATK29, BRONZE MOHAWK, GADOLINIUM, Gingham Typhoon, Leviathan, TA423 and TEMP.Periscope, illustrating how cyber security organizations often experience fragmentation in the naming of threat actors.  Despite the multiple names APT40 is known by, the overwhelming opinion among cyber security experts is that, regardless of name, APT40 is a single, coherent threat actor with a mission focused on supporting China’s naval modernization and expanding its regional influence through long-term cyber espionage activities.  This blog will provide a detailed analysis of APT40’s history, identity, motivations, tactics, significant operations, and overall impact on the world.

APT40 threat profile showing attribution, targets, and risk level
APT40 overview including attribution, motivation, targets, and threat assessment.

Identity & Motivation

APT40 is assessed as simply being a Cyber Espionage Groups (CEGs) that have links to Chinese Military or Intelligence Agencies and are believed to have connections to the People’s Liberation Army Navy (PLAN), along with other Defence related research groups.

APT40 has been active since the beginning of the decade until at least 2025.

The group’s objectives are to collect intelligence rather than to seek profit or monetary gain (financially). Therefore, the group’s primary focus will be on the following:

– The collection of sensitive information regarding naval and maritime activities

– The tracking of defence contractor and shipbuilders’ activities

– The monitoring of government activities that are related to the disputes in the South China Sea

– The preparation of the intelligence that they will need to meet the military objectives that they may encounter.

The countries and regions targeted by the group represent APT40’s Maritime Strategic priorities.

Tactics, Techniques, and Procedures (TTPs)

Strategies, Methods, and Processes – Techniques and procedures used by APT40, an advanced persistent threat group, focus on the use of predictable, reusable methods that rely on consistency and predictability as opposed to being unique or opportunistic.

Initial Access

APT40’s primary methods of gaining initial access are through:

– Spearphishing emails containing content related to maritime, defense, and logistics

– Impersonating journalists, researchers, or event organisers

– Sending malicious attachments, and/or sending users links to credential harvesting websites

– Exploiting known vulnerabilities associated with public Internet-facing applications

The group typically targets individuals working in engineering, analyst and purchasing roles, as well as maritime research positions.

Execution & Tooling

After APT40 has established access, the group uses:

– Custom built remote access tools, including ISLANDDREAMS and MUDCARP (modular)

– Lightweight remote access tools to execute commands and perform reconnaissance

– Scripting languages such as PowerShell and Windows Management Instrumentation (WMI)

All malware developed by the group is generally considered very stable and produces minimal noise, allowing for long-term usage.

Persistence

APT40’s methods of persistence include:

– Registry run keys and scheduled tasks

– Using legitimate appearing software to install services

– Using multiple back doors to allow for redundancy between back doors, thus allowing Alternative Methods of Access to persist through system reboots and partial remediation.

Command and Control (C2)

A typical APT40 C2 infrastructure includes:

– Encrypted HTTPS communications

– Hard-coded fallback domains

-Use of compromised servers and VPS infrastructure.

C2 servers are usually hosted in geographical areas that can be hidden from normal victim traffic patterns.

Defense Evasion

Defense evasion techniques APT40 employs include:

– Code obfuscation of malware and configuration files

– Leverage administrative tools that would otherwise be legitimate if not for the ransomware (LOLBins)

– Minimizing lateral movement to better avoid detection

– Utilizing a slow-release, low-volume method to exfiltrate data.

Notable Operations

APT40 has participated in numerous high-profile hacking campaigns.

Global Maritime and Naval Targeting

The group has a strong interest in stealing information from:

– Naval design companies

– Companies that build and maintain vessels

– Research institutions engaged in the study of maritime issues

– Shipping and marine logistics companies

The stolen information from these attacks can include data about vessel design, ship maintenance schedules and the naval operational capabilities associated with a particular vessel.

Government and Defense Espionage

APT40 has hacked into government and military organizations in countries involved in maritime disputes with China.

The data stolen from these organizations can include:

– Documents related to military policy

– Documents relating to the planning of military operations

– Communications related to the security of regional partners.

Academic and Research Surveillance

Universities and think tanks that are focused on the research of maritime law, naval strategy, and regional security have been frequent targets of APT40.

Phishing campaigns impersonated:

– a collaborator (e.g., a professor)

– a journalist that was seeking an interview

– a conference invitation.

Get your security score with Threat.watch
Threat.watch encouraging users to check their security score

Recent Developments (2023–2025)

Over the past few years, APT40 has maintained the same methodology as previously discussed; however, the group has made incremental changes to how they operate. They have improved upon the Method of Social Engineering by developing more sophisticated phishing emails that are specifically targeted toward individuals with polished images (look) that are better localized than ever before, thus creating a stronger incentive for their targets to open these malicious emails.

C2 domain rotation has also improved due to increased speed of operation and reducing the number of times malware samples are reused from one operation to another.

APT40 is actively seeking expansion of their operational scope beyond purely maritime targets, which now include all of the following types of companies – Aerospace suppliers, Advanced Manufacturing, and Government Agencies that are not specifically involved in Defense.

Strategic Impact

However, the original intent behind APT40’s operations has not changed, and the group is still focused on attaining access to the type of information that will give China military superiority over its adversaries.

Military Advantage:Acquiring access to Naval Engineering and Logistics supports China’s modernization and operational planning of its Navy.

Regional Security Risk: Surveillance of all governments involved in South China Sea disputes provides China with improved diplomatic and Military Superiority.

Economic and Industrial Espionage: Taking Intellectual Property from the Western countries reduces the Timeframe to develop equivalent products for China’s Defense and Maritime Industries.

Persistent Threat Environment: APT40 is an example of a Patient and Methodical Threat Actor capable of maintaining Control of Access to other Data for prolonged periods of time.

Conclusion

APT40 is still one of the most sophisticated and strategically-minded state-sponsored groups that conduct cyber-espionage on behalf of the Chinese government today. Using well-planned spear phishing campaigns, consistent employment of reliable malware, and a clear connection to maritime and defense priorities, this group has provided valuable intelligence to Chinese leaders for many years.

As tensions in the Indo-Pacific region continue to escalate, organizations involved in maritime security, defense manufacturing, logistics, and policy research should expect APT40 to be very active over the coming months and years. To proactively protect against this threat, organizations need to implement strong email security protocols, provide ongoing monitoring of user activity, create awareness of potential threats to their environment for all users assigned to high-risk roles, and develop and deploy long-term threat intelligence strategies. APT40’s longevity and consistent focus on providing intelligence to the Chinese government illustrate how cyber-espionage is being utilised as an effective instrument of statecraft by governments aroun

You can download and review the sheet for all the details!

Two cybersecurity professionals reviewing threat intelligence on a laptop in a secure operations center
Brandefense provides trusted threat intelligence and digital risk protection for global security teams.
Share This:
  • Categories
  • Latest News
  • Follow Us on Social Media!