G0125: HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
Analyst context for executives and security teams
HAFNIUM matters because ATT&CK describes it as a likely state-sponsored espionage group that has targeted U.S. organizations and has used remote management tools, cloud software, and rapidly operationalized exploits against edge devices for initial access. For leaders, the practical issue is not the name alone; it is whether the organization can quickly identify exposed edge, email, cloud, identity, and remote administration surfaces, prove patch and hardening status, and investigate web shell, credential theft, account abuse, and lateral movement activity when a critical vulnerability becomes relevant.
Executive priority
Treat this group as a planning driver for resilience around exposed services, identity security, and incident response speed. The supplied ATT&CK relationships show behaviors spanning web shells, credential access, discovery, command execution, command-and-control, account manipulation, cloud account abuse, and tool transfer. Executives should ask whether asset ownership, emergency vulnerability response, privileged identity controls, logging retention, and IR playbooks are strong enough to support fast decisions during edge-device or cloud-software exploitation scenarios.
Technical view
SOC, detection engineering, and IR teams should validate coverage against the mapped behaviors rather than relying on a group name. Relationship context includes China Chopper and ASPXSpy web shells, PsExec, Impacket, Tarrask concealed scheduled tasks, Covenant, LSASS and NTDS credential access, PowerShell and Windows command shell execution, discovery commands, local and cloud account abuse, account manipulation, ingress tool transfer, and web or non-application-layer C2. Prioritize evidence from internet-facing servers, identity providers, domain controllers, administrative workstations, cloud/SaaS audit logs, and remote management infrastructure. Because the group object has no official ATT&CK detection text and no platforms listed for the group itself, detection should be built from the related software and techniques plus local exposure data.
Likely telemetry
- Internet-facing application, edge device, remote management, and cloud software access logs
- Web server file creation/modification logs and web shell indicators where available
- Endpoint process creation, command-line, PowerShell, and script execution telemetry
- Windows security events and EDR telemetry for LSASS access, NTDS access or copying, and credential-related activity
- Domain controller, Active Directory, and privileged account change logs
Detection direction
- Map detections to the related ATT&CK techniques and software instead of assuming a single HAFNIUM-specific signature will be sufficient.
- Validate monitoring on exposed web, email, remote management, and cloud software assets because the official description highlights those as initial access targets.
- Tune web shell hunting around abnormal server-side script creation, unexpected child processes from web services, and unusual inbound/outbound web traffic while accounting for legitimate administration and application deployment activity.
- Correlate credential-access signals such as LSASS memory access, NTDS access, and domain controller file access with subsequent remote execution, account manipulation, and discovery behavior.
- Review PowerShell, cmd.exe, PsExec, and Impacket-like activity in context: these tools and interfaces can be legitimate, so detections should combine user, host role, timing, parent process, remote source, and privilege level.
Mitigation priorities
- Maintain a current inventory of internet-facing systems, remote management tools, cloud software, and identity integrations so emergency vulnerability response can be scoped quickly.
- Prioritize patching and compensating controls for exposed edge devices and cloud-facing services when relevant vulnerabilities are identified.
- Harden web and application servers with least privilege, restricted script execution paths, file integrity monitoring where feasible, and strong separation between application and administrative functions.
- Strengthen identity controls: enforce least privilege, review local and cloud accounts, monitor privileged group changes, and reduce password reuse that can amplify local account abuse.
- Protect credential stores and domain controllers with strict administrative access controls, enhanced auditing, and rapid investigation procedures for LSASS or NTDS-related alerts.
Analyst notes and limits
The ATT&CK object identifies HAFNIUM aliases including Operation Exchange Marauder and Silk Typhoon and describes likely state-sponsored espionage activity operating out of China. The most defensible defensive value comes from the listed relationships: web shells, credential access, account abuse, discovery, execution, C2, and tool transfer. For Glexia service delivery, this supports tabletop scenarios, detection validation, vulnerability prioritization for exposed services, identity-control reviews, and evidence collection for compliance and incident readiness.
The group object does not provide official detection guidance, tactics, or platforms, so platform-specific claims must come from the related software and technique records rather than the group record itself. Local exposure, product configuration, logging quality, and business-critical asset context are required to determine actual risk and coverage. The supplied fields support concern about rapid exploit operationalization for vulnerabilities in edge devices, but they do not by themselves prove current exploitation against any specific organization.
HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1592.004 | Client Configurations Sub-technique | |
| Enterprise | T1110.003 | Password Spraying Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1583.006 | Web Services Sub-technique | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1583.005 | Botnet Sub-technique | |
| Enterprise | T1033 | System Owner/User Discovery | HAFNIUM has used `whoami` to gather user information.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | |
| Enterprise | T1584.005 | Botnet Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HAFNIUM has used `cmd.exe` to execute commands on the victim's machine.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1057 | Process Discovery | HAFNIUM has used `tasklist` to enumerate processes.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1530 | Data from Cloud Storage | |
| Enterprise | T1119 | Automated Collection | |
| Enterprise | T1590 | Gather Victim Network Information | |
| Enterprise | T1505.003 | Web Shell Sub-technique | |
| Enterprise | T1589.002 | Email Addresses Sub-technique | |
| Enterprise | T1555.006 | Cloud Secrets Management Stores Sub-technique | |
| Enterprise | T1593.003 | Code Repositories Sub-technique | |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | |
| Enterprise | T1078.003 | Local Accounts Sub-technique | HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.CitationFireEye Exchange Zero Days March 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | HAFNIUM has hidden files on a compromised host.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | HAFNIUM has checked for network connectivity from a compromised host using `ping`, including attempts to contact `google[.]com`.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | HAFNIUM has collected IP information via IPInfo.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1590.005 | IP Addresses Sub-technique | |
| Enterprise | T1199 | Trusted Relationship | |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | HAFNIUM has searched file contents on a compromised host.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1003.003 | NTDS Sub-technique | |
| Enterprise | T1098 | Account Manipulation | |
| Enterprise | T1136.002 | Domain Account Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1018 | Remote System Discovery | HAFNIUM has enumerated domain controllers using `net group "Domain computers"` and `nltest /dclist`.CitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1550.001 | Application Access Token Sub-technique | |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | |
| Enterprise | T1190 | Exploit Public-Facing Application | |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique |
Groups, software, and campaigns
S1011: Tarrask
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S0357: Impacket
S0029: PsExec
S1155: Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
S0020: China Chopper
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 0d83dbd140d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft HAFNIUM March 2020
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Open source URL -
[2]
Volexity Exchange Marauder March 2021
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
Open source URL -
[3]
Microsoft Silk Typhoon MAR 2025
Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
Open source URL -
[4]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[5]
Operation Exchange Marauder
(Citation: Volexity Exchange Marauder March 2021)
-
[6]
Silk Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft Silk Typhoon MAR 2025)
-
[7]
mitre-attack G0125Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.