G0125: HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
Analyst context for executives and security teams
HAFNIUM matters because ATT&CK describes it as a likely state-sponsored espionage group that has targeted U.S. organizations and has used remote management tools, cloud software, and rapidly operationalized exploits against edge devices for initial access. For leaders, the practical issue is not the name alone; it is whether the organization can quickly identify exposed edge, email, cloud, identity, and remote administration surfaces, prove patch and hardening status, and investigate web shell, credential theft, account abuse, and lateral movement activity when a critical vulnerability becomes relevant.
Executive priority
Treat this group as a planning driver for resilience around exposed services, identity security, and incident response speed. The supplied ATT&CK relationships show behaviors spanning web shells, credential access, discovery, command execution, command-and-control, account manipulation, cloud account abuse, and tool transfer. Executives should ask whether asset ownership, emergency vulnerability response, privileged identity controls, logging retention, and IR playbooks are strong enough to support fast decisions during edge-device or cloud-software exploitation scenarios.
Technical view
SOC, detection engineering, and IR teams should validate coverage against the mapped behaviors rather than relying on a group name. Relationship context includes China Chopper and ASPXSpy web shells, PsExec, Impacket, Tarrask concealed scheduled tasks, Covenant, LSASS and NTDS credential access, PowerShell and Windows command shell execution, discovery commands, local and cloud account abuse, account manipulation, ingress tool transfer, and web or non-application-layer C2. Prioritize evidence from internet-facing servers, identity providers, domain controllers, administrative workstations, cloud/SaaS audit logs, and remote management infrastructure. Because the group object has no official ATT&CK detection text and no platforms listed for the group itself, detection should be built from the related software and techniques plus local exposure data.
Likely telemetry
- Internet-facing application, edge device, remote management, and cloud software access logs
- Web server file creation/modification logs and web shell indicators where available
- Endpoint process creation, command-line, PowerShell, and script execution telemetry
- Windows security events and EDR telemetry for LSASS access, NTDS access or copying, and credential-related activity
- Domain controller, Active Directory, and privileged account change logs
Detection direction
- Map detections to the related ATT&CK techniques and software instead of assuming a single HAFNIUM-specific signature will be sufficient.
- Validate monitoring on exposed web, email, remote management, and cloud software assets because the official description highlights those as initial access targets.
- Tune web shell hunting around abnormal server-side script creation, unexpected child processes from web services, and unusual inbound/outbound web traffic while accounting for legitimate administration and application deployment activity.
- Correlate credential-access signals such as LSASS memory access, NTDS access, and domain controller file access with subsequent remote execution, account manipulation, and discovery behavior.
- Review PowerShell, cmd.exe, PsExec, and Impacket-like activity in context: these tools and interfaces can be legitimate, so detections should combine user, host role, timing, parent process, remote source, and privilege level.
Mitigation priorities
- Maintain a current inventory of internet-facing systems, remote management tools, cloud software, and identity integrations so emergency vulnerability response can be scoped quickly.
- Prioritize patching and compensating controls for exposed edge devices and cloud-facing services when relevant vulnerabilities are identified.
- Harden web and application servers with least privilege, restricted script execution paths, file integrity monitoring where feasible, and strong separation between application and administrative functions.
- Strengthen identity controls: enforce least privilege, review local and cloud accounts, monitor privileged group changes, and reduce password reuse that can amplify local account abuse.
- Protect credential stores and domain controllers with strict administrative access controls, enhanced auditing, and rapid investigation procedures for LSASS or NTDS-related alerts.
Analyst notes and limits
The ATT&CK object identifies HAFNIUM aliases including Operation Exchange Marauder and Silk Typhoon and describes likely state-sponsored espionage activity operating out of China. The most defensible defensive value comes from the listed relationships: web shells, credential access, account abuse, discovery, execution, C2, and tool transfer. For Glexia service delivery, this supports tabletop scenarios, detection validation, vulnerability prioritization for exposed services, identity-control reviews, and evidence collection for compliance and incident readiness.
The group object does not provide official detection guidance, tactics, or platforms, so platform-specific claims must come from the related software and technique records rather than the group record itself. Local exposure, product configuration, logging quality, and business-critical asset context are required to determine actual risk and coverage. The supplied fields support concern about rapid exploit operationalization for vulnerabilities in edge devices, but they do not by themselves prove current exploitation against any specific organization.
HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1592.004 | Client Configurations Sub-technique | HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.CitationMicrosoft HAFNIUM March 2020 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | HAFNIUM has gained initial access through password spray attacks.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.CitationMicrosoft HAFNIUM March 2020CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1583.006 | Web Services Sub-technique | HAFNIUM has acquired web services for use in C2 and exfiltration.CitationMicrosoft HAFNIUM March 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.CitationMicrosoft HAFNIUM March 2020CitationVolexity Exchange Marauder March 2021 |
| Enterprise | T1005 | Data from Local System | HAFNIUM has collected data and files from a compromised machine.CitationRapid7 HAFNIUM Mar 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1583.005 | Botnet Sub-technique | HAFNIUM has incorporated leased devices into covert networks to obfuscate communications.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1033 | System Owner/User Discovery | HAFNIUM has used `whoami` to gather user information.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | HAFNIUM has abused compromised credentials to exfiltrate data from SharePoint.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | HAFNIUM has targeted unpatched applications to elevate access in targeted organizations.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1584.005 | Botnet Sub-technique | HAFNIUM has used compromised devices in covert networks to obfuscate communications.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HAFNIUM has used `cmd.exe` to execute commands on the victim's machine.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1057 | Process Discovery | HAFNIUM has used `tasklist` to enumerate processes.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | HAFNIUM has used |
| Enterprise | T1530 | Data from Cloud Storage | HAFNIUM has exfitrated data from OneDrive.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1119 | Automated Collection | HAFNIUM has used MSGraph to exfiltrate data from email, OneDrive, and SharePoint.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1590 | Gather Victim Network Information | HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.CitationVolexity Exchange Marauder March 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.CitationMicrosoft HAFNIUM March 2020CitationVolexity Exchange Marauder March 2021CitationFireEye Exchange Zero Days March 2021CitationTarrask scheduled taskCitationRapid7 HAFNIUM Mar 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | HAFNIUM has collected e-mail addresses for users they intended to target.CitationVolexity Exchange Marauder March 2021 |
| Enterprise | T1555.006 | Cloud Secrets Management Stores Sub-technique | HAFNIUM has moved laterally from on-premises environments to steal passwords from Azure key vaults.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1593.003 | Code Repositories Sub-technique | HAFNIUM has discovered leaked corporate credentials on public repositories including GitHub.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | HAFNIUM has exfiltrated data to file sharing sites, including MEGA.CitationMicrosoft HAFNIUM March 2020 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | HAFNIUM has used web shells and MSGraph to export mailbox data.CitationMicrosoft HAFNIUM March 2020CitationVolexity Exchange Marauder March 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | HAFNIUM has used |
| Enterprise | T1078.003 | Local Accounts Sub-technique | HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.CitationFireEye Exchange Zero Days March 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | HAFNIUM has used the Exchange Power Shell module |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | HAFNIUM has hidden files on a compromised host.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | HAFNIUM has checked for network connectivity from a compromised host using `ping`, including attempts to contact `google[.]com`.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | HAFNIUM has collected IP information via IPInfo.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1590.005 | IP Addresses Sub-technique | HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.CitationVolexity Exchange Marauder March 2021 |
| Enterprise | T1199 | Trusted Relationship | HAFNIUM has used stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to access downstream customer environments.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | HAFNIUM has abused service principals in compromised environments to enable data exfiltration.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1083 | File and Directory Discovery | HAFNIUM has searched file contents on a compromised host.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1003.003 | NTDS Sub-technique | HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).CitationVolexity Exchange Marauder March 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1098 | Account Manipulation | HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts.CitationVolexity Exchange Marauder March 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1136.002 | Domain Account Sub-technique | HAFNIUM has created domain accounts.CitationVolexity Exchange Marauder March 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1018 | Remote System Discovery | HAFNIUM has enumerated domain controllers using `net group "Domain computers"` and `nltest /dclist`.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1550.001 | Application Access Token Sub-technique | HAFNIUM has abused service principals with administrative permissions for data exfiltration.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | HAFNIUM has cleared actor-performed actions from logs.CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1190 | Exploit Public-Facing Application | HAFNIUM has exploited multiple vulnerabilities to compromise edge devices and on-premises versions of Microsoft Exchange Server.CitationMicrosoft HAFNIUM March 2020CitationVolexity Exchange Marauder March 2021CitationFireEye Exchange Zero Days March 2021CitationTarrask scheduled taskCitationMicrosoft Log4j Vulnerability Exploitation December 2021CitationMicrosoft Silk Typhoon MAR 2025 |
| Enterprise | T1095 | Non-Application Layer Protocol | HAFNIUM has used TCP for C2.CitationMicrosoft HAFNIUM March 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | HAFNIUM has used ASCII encoding for C2 traffic.CitationMicrosoft HAFNIUM March 2020 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | HAFNIUM has operated from leased virtual private servers (VPS) in the United States.CitationMicrosoft HAFNIUM March 2020 |
Groups, software, and campaigns
S1011: Tarrask
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S0357: Impacket
S0029: PsExec
S1155: Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
S0020: China Chopper
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 0d83dbd140d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft HAFNIUM March 2020
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Open source URL -
[2]
Volexity Exchange Marauder March 2021
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
Open source URL -
[3]
Microsoft Silk Typhoon MAR 2025
Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
Open source URL -
[4]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[5]
Operation Exchange Marauder
(Citation: Volexity Exchange Marauder March 2021)
-
[6]
Silk Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft Silk Typhoon MAR 2025)
-
[7]
mitre-attack G0125Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.