Menu
Browse

Cyber Threat Actor: TEMP.Periscope

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
17 incidents
Profile

TEMP.Periscope, also known as Calypso APT, Temp.Periscope and Mudcarp, is a threat actor publicly linked to the Chinese state and observed operating from infrastructure in Hainan, China. The group has been active since at least 2013 and is described by multiple security firms as a Chinese‑sponsored espionage collective that conducts long‑term intrusion campaigns against a variety of targets. Its activities are consistently characterized as intelligence gathering rather than financially motivated crime, with analysts noting alignment with Beijing’s strategic interests in regional stability, maritime disputes and the Belt and Road Initiative. The actor’s attribution to China is based on observed command‑and‑control servers located in Chinese territory, Chinese language configurations on compromised systems and public statements from firms such as FireEye and RecordedFuture that express high confidence in state sponsorship.

The actor’s targeting spans multiple sectors and geographic regions, reflecting a broad collection agenda. It has repeatedly focused on maritime and engineering firms, particularly those with ties to the South China Sea or U.S. naval research, as well as defense industrial bases, aviation companies, chemical manufacturers and technology providers. Government bodies are another frequent objective, including election commissions, ministries of foreign affairs, interior and finance, and parliamentary bodies in Cambodia and Afghanistan. Non‑governmental organizations, human rights advocates, media outlets and opposition political figures have also been compromised, indicating an interest in political intelligence and societal dynamics. The actor’s strategic objectives are described as gaining visibility into political processes, monitoring regional developments and supporting China’s geopolitical goals, without any indication of financial gain or destructive intent.

Typical tactics, techniques and procedures employed by TEMP.Periscope include spearphishing emails that deliver malicious documents or links, often using decoys that mimic legitimate NGOs or partner organizations. The group has leveraged open‑source tools such as Responder for SMB credential harvesting via malicious file:// paths and has utilized NBT‑NS poisoning and watering hole attacks to compromise victim networks. Initial access has also been achieved through exploitation of publicly known vulnerabilities like ETERNALBLUE and DNS tunneling, and through the deployment of web shells in Microsoft Exchange environments. Malware families observed in its toolkit consist of AIRBREAK, EVILTECH, DADBOD, HOMEFRY, MURKYTOP and SCANBOX, with additional custom payloads such as the JavaScript‑based backdoor EVILTECH and the credential theft tool DADBOD. The actor’s infrastructure shows reuse of command‑and‑control domains like scsnewstoday[.]com and partyforumseasia[.]com, and it has been observed employing both proprietary and publicly available tools to obscure attribution.

Notable publicly reported operations illustrate the group’s scope and persistence. In 2020, TEMP.Periscope was among four Chinese state‑sponsored groups that targeted the mail server of Roshan, a major Afghan telecommunications provider, using Winnti and PlugX variants to maintain persistent access and conduct strategic intelligence collection. During 2018, the actor conducted a extensive espionage campaign against Cambodia’s National Election Committee, government ministries, opposition figures and NGOs ahead of the July general election, employing spearphishing with AIRBREAK and related malware to harvest credentials and exfiltrate data from both ruling and opposition parties. Earlier that year, TEMP.Periscope targeted a UK‑based engineering firm through a spearphishing campaign that incorporated techniques previously associated with Russian APT groups, including Foxmail‑based file paths, Responder tool usage and NBT‑NS poisoning, while also reusing historic tactics such as ETERNALBLUE exploits and DNS tunneling. Additionally, the actor has been linked to intrusions against U.S. maritime‑related entities and defense contractors, reflecting a sustained focus on sectors tied to the South China Sea and naval research. These campaigns demonstrate the actor’s ability to conduct concurrent operations across diverse victim sets while maintaining a consistent espionage focus.

Incidents
Attributed incidents available to members
17 incidents
Sources
Sources available to members
8 sources