Introduction
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices. Microsoft HAFNIUM March 2020 Volexity Exchange Marauder March 2021 Microsoft Silk Typhoon MAR 2025
Activities and Tactics
Country of Origin: 🇨🇳 China
Risk Level: Critical
First Seen: 2022
Last Activity: 2022
Notable Campaigns
- Operation Exchange Marauder
Tactics, Techniques, and Procedures (TTPs)
- T1592.004 Client Configurations
- T1110.003 Password Spraying
- T1105 Ingress Tool Transfer
- T1583.006 Web Services
- T1560.001 Archive via Utility
- T1005 Data from Local System
- T1583.005 Botnet
- T1033 System Owner/User Discovery
- T1213.002 Sharepoint
- T1068 Exploitation for Privilege Escalation
- T1584.005 Botnet
- T1059.003 Windows Command Shell
- T1057 Process Discovery
- T1003.001 LSASS Memory
- T1530 Data from Cloud Storage
- T1119 Automated Collection
- T1590 Gather Victim Network Information
- T1505.003 Web Shell
- T1589.002 Email Addresses
- T1555.006 Cloud Secrets Management Stores
- T1593.003 Code Repositories
- T1567.002 Exfiltration to Cloud Storage
- T1114.002 Remote Email Collection
- T1218.011 Rundll32
- T1078.003 Local Accounts
- T1059.001 PowerShell
- T1564.001 Hidden Files and Directories
- T1016.001 Internet Connection Discovery
- T1016 System Network Configuration Discovery
- T1590.005 IP Addresses
- T1199 Trusted Relationship
- T1078.004 Cloud Accounts
- T1083 File and Directory Discovery
- T1003.003 NTDS
- T1098 Account Manipulation
- T1136.002 Domain Account
- T1071.001 Web Protocols
- T1018 Remote System Discovery
- T1550.001 Application Access Token
- T1685.005 Clear Windows Event Logs
- T1190 Exploit Public-Facing Application
- T1095 Non-Application Layer Protocol
- T1132.001 Standard Encoding
- T1583.003 Virtual Private Server
ATT&CK technique IDs (denormalized)
- T1003.001
- T1003.003
- T1005
- T1016
- T1016.001
- T1018
- T1033
- T1057
- T1059.001
- T1059.003
- T1068
- T1071.001
- T1078.003
- T1078.004
- T1083
- T1095
- T1098
- T1105
- T1110.003
- T1114.002
- T1119
- T1132.001
- T1136.002
- T1190
- T1199
- T1213.002
- T1218.011
- T1505.003
- T1530
- T1550.001
- T1555.006
- T1560.001
- T1564.001
- T1567.002
- T1583.003
- T1583.005
- T1583.006
- T1584.005
- T1589.002
- T1590
- T1590.005
- T1592.004
- T1593.003
- T1685.005
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- China Chopper
- UNITEDRAKE
- Xploit
- Archelaus Beta
- Mega
- CrossRat
- Covenant:
- Procdump:
- 7-Zip:
- Nishang:
- PowerCat:
MITRE ATT&CK Software
- Tarrask (S1011) — malware
- ASPXSpy (S0073) — malware
- Impacket (S0357) — tool
- PsExec (S0029) — tool
- Covenant (S1155) — tool
- China Chopper (S0020) — malware
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [4] Volexity Exchange Marauder March 2021 Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. [5] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [6] Microsoft Silk Typhoon MAR 2025 Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025. [7] Microsoft HAFNIUM March 2020 MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.