G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
Analyst context for executives and security teams
Axiom is a suspected Chinese cyber espionage group reported by ATT&CK to have targeted aerospace, defense, government, manufacturing, and media organizations since at least 2008. For leaders, the value of this object is not a single indicator list; it is a reminder to validate resilience against a full espionage lifecycle: phishing and drive-by entry, exploitation of public-facing or client applications, credential theft, valid-account abuse, RDP-based lateral movement, remote access malware, data collection, archiving, and covert command-and-control.
Executive priority
Prioritize this as an exposure-and-readiness question for organizations with sensitive intellectual property, regulated government/defense obligations, manufacturing operations, or media/government relevance. Executives should ask whether internet-facing applications, endpoint credential protections, RDP access, privileged accounts, and egress monitoring are evidenced in controls and audit artifacts—not merely documented in policy. Because ATT&CK provides no official detection text for Axiom itself, coverage should be assessed through the related techniques and software relationships rather than claims of group-level detection.
Technical view
ATT&CK relates Axiom to multiple Windows-focused RATs/backdoors, including Hikit, PoisonIvy, PlugX, ZxShell, Zox, and Hydraq, plus Derusbi on Windows/Linux and gh0st RAT on Windows/macOS. Related techniques span initial access, execution, credential access, persistence/privilege escalation, lateral movement, collection, command-and-control, and resource development. SOC and IR teams should validate detections around phishing and drive-by/client exploitation, public-facing application exploitation, OS credential dumping, valid-account activity, RDP logons and session anomalies, accessibility-feature persistence on Windows, data staging/archive creation, and unusual outbound C2 patterns including DNS/VPS/botnet infrastructure context and possible steganographic file-based communications.
Likely telemetry
- Email security logs and message metadata for phishing delivery patterns
- Web proxy, browser, and endpoint telemetry for drive-by or client-side exploitation evidence
- Internet-facing application, web server, WAF, reverse proxy, and cloud workload logs for exploitation attempts and post-exploitation behavior
- Endpoint process, file, registry, service, driver, and command-line telemetry on Windows, Linux, and macOS where applicable
- Credential access telemetry, including LSASS/memory access signals, authentication logs, and privileged account use
Detection direction
- Do not rely on an 'Axiom' alert name as coverage; map controls to the related ATT&CK techniques and software instead.
- Tune detections for valid-account and RDP activity against business context: administrative jump hosts, expected geographies, service accounts, after-hours access, and impossible or unusual session patterns.
- Correlate public-facing application exploitation signals with subsequent process execution, credential access, web shell-like behavior, or outbound connections rather than treating web alerts in isolation.
- Validate endpoint visibility for Windows persistence and privilege-escalation paths such as accessibility feature abuse, and for Linux/macOS where related techniques or software platforms apply.
- Monitor data collection and archive creation in sensitive repositories, engineering shares, government/defense project areas, and local system locations before exfiltration.
Mitigation priorities
- Start with exposure reduction: inventory and harden public-facing applications, prioritize vulnerability remediation for externally reachable systems, and verify secure configuration evidence.
- Strengthen identity controls for valid-account abuse: MFA where applicable, least privilege, privileged access review, service account governance, and monitoring of remote access paths.
- Restrict and monitor RDP, including limiting exposure, enforcing approved administrative pathways, and reviewing session-hijacking-relevant events.
- Harden endpoints against credential dumping and persistence, especially Windows systems given the related malware set and accessibility-feature technique.
- Improve phishing resilience through email controls, user reporting processes, attachment/link handling, and incident playbooks tied to endpoint investigation.
Analyst notes and limits
ATT&CK describes Axiom as a suspected Chinese cyber espionage group and notes reported overlap with Winnti Group while stating they appear distinct based on differences in TTPs and targeting. The relationship context provides the most actionable defensive content: related malware and techniques indicate what telemetry and controls should be validated. Several tools listed are shared across multiple groups, so they are useful for detection engineering but weak for standalone attribution.
ATT&CK provides no official detection text, no group-level platforms or tactics, and the supplied data does not prove current activity, customer exposure, or guaranteed detectability. Local asset criticality, logging quality, identity architecture, internet exposure, and sector-specific threat model are required to turn this into a defensible coverage assessment.
Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1001.002 | Steganography Sub-technique | Axiom has used steganography to hide its C2 communications.CitationNovetta-Axiom |
| Enterprise | T1005 | Data from Local System | Axiom has collected data from a compromised network.CitationNovetta-Axiom |
| Enterprise | T1560 | Archive Collected Data | Axiom has compressed and encrypted data prior to exfiltration.CitationNovetta-Axiom |
| Enterprise | T1584.005 | Botnet Sub-technique | Axiom has used large groups of compromised machines for use as proxy nodes.CitationNovetta-Axiom |
| Enterprise | T1189 | Drive-by Compromise | Axiom has used watering hole attacks to gain access.CitationCisco Group 72 |
| Enterprise | T1553 | Subvert Trust Controls | Axiom has used digital certificates to deliver malware.CitationNovetta-Axiom |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Axiom has used RDP during operations.CitationNovetta-Axiom |
| Enterprise | T1583.002 | DNS Server Sub-technique | Axiom has acquired dynamic DNS services for use in the targeting of intended victims.CitationNovetta-Axiom |
| Enterprise | T1203 | Exploitation for Client Execution | Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.CitationCisco Group 72 |
| Enterprise | T1078 | Valid Accounts | Axiom has used previously compromised administrative accounts to escalate privileges.CitationNovetta-Axiom |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Axiom has used VPS hosting providers in targeting of intended victims.CitationNovetta-Axiom |
| Enterprise | T1563.002 | RDP Hijacking Sub-technique | Axiom has targeted victims with remote administration tools including RDP.CitationNovetta-Axiom |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.CitationNovetta-Axiom |
| Enterprise | T1566 | Phishing | Axiom has used spear phishing to initially compromise victims.CitationCisco Group 72CitationNovetta-Axiom |
| Enterprise | T1190 | Exploit Public-Facing Application | Axiom has been observed using SQL injection to gain access to systems.CitationNovetta-AxiomCitationCisco Group 72 |
| Enterprise | T1003 | OS Credential Dumping | Axiom has been known to dump credentials.CitationNovetta-Axiom |
Groups, software, and campaigns
S0412: ZxShell
S0032: gh0st RAT
S0672: Zox
S0013: PlugX
S0009: Hikit
S0012: PoisonIvy
S0021: Derusbi
S0203: Hydraq
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | fff1b950ef2e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Winnti April 2013
Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
Open source URL -
[2]
Kaspersky Winnti June 2015
Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
Open source URL -
[3]
Novetta Winnti April 2015
Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Open source URL -
[4]
Axiom
(Citation: Novetta-Axiom)
-
[5]
Cisco Group 72
Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
Open source URL -
[6]
Group 72
(Citation: Cisco Group 72)
-
[7]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[8]
mitre-attack G0001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.