Skip to content

G0125 HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.413

Item Value
ID G0125
Associated Names Operation Exchange Marauder, Silk Typhoon
Version 3.0
Created 03 March 2021
Last Modified 25 March 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Operation Exchange Marauder 1
Silk Typhoon 23

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts.13
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server HAFNIUM has operated from leased virtual private servers (VPS) in the United States.4
enterprise T1583.005 Botnet HAFNIUM has incorporated leased devices into covert networks to obfuscate communications.3
enterprise T1583.006 Web Services HAFNIUM has acquired web services for use in C2 and exfiltration.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols HAFNIUM has used open-source C2 frameworks, including Covenant.4
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.41
enterprise T1119 Automated Collection HAFNIUM has used MSGraph to exfiltrate data from email, OneDrive, and SharePoint.3
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying HAFNIUM has gained initial access through password spray attacks.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.41
enterprise T1059.003 Windows Command Shell HAFNIUM has used cmd.exe to execute commands on the victim’s machine.5
enterprise T1584 Compromise Infrastructure -
enterprise T1584.005 Botnet HAFNIUM has used compromised devices in covert networks to obfuscate communications.3
enterprise T1136 Create Account -
enterprise T1136.002 Domain Account HAFNIUM has created domain accounts.13
enterprise T1555 Credentials from Password Stores -
enterprise T1555.006 Cloud Secrets Management Stores HAFNIUM has moved laterally from on-premises environments to steal passwords from Azure key vaults.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding HAFNIUM has used ASCII encoding for C2 traffic.4
enterprise T1530 Data from Cloud Storage HAFNIUM has exfitrated data from OneDrive.3
enterprise T1213 Data from Information Repositories -
enterprise T1213.002 Sharepoint HAFNIUM has abused compromised credentials to exfiltrate data from SharePoint.3
enterprise T1005 Data from Local System HAFNIUM has collected data and files from a compromised machine.53
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection HAFNIUM has used web shells and MSGraph to export mailbox data.413
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage HAFNIUM has exfiltrated data to file sharing sites, including MEGA.4
enterprise T1190 Exploit Public-Facing Application HAFNIUM has exploited multiple vulnerabilities to compromise edge devices and on-premises versions of Microsoft Exchange Server.416783
enterprise T1068 Exploitation for Privilege Escalation HAFNIUM has targeted unpatched applications to elevate access in targeted organizations.3
enterprise T1083 File and Directory Discovery HAFNIUM has searched file contents on a compromised host.5
enterprise T1592 Gather Victim Host Information -
enterprise T1592.004 Client Configurations HAFNIUM has interacted with Office 365 tenants to gather details regarding target’s environments.4
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses HAFNIUM has collected e-mail addresses for users they intended to target.1
enterprise T1590 Gather Victim Network Information HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim’s environment.1
enterprise T1590.005 IP Addresses HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories HAFNIUM has hidden files on a compromised host.5
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs HAFNIUM has cleared actor-performed actions from logs.3
enterprise T1105 Ingress Tool Transfer HAFNIUM has downloaded malware and tools–including Nishang and PowerCat–onto a compromised host.45
enterprise T1095 Non-Application Layer Protocol HAFNIUM has used TCP for C2.4
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory HAFNIUM has used procdump to dump the LSASS process memory.415
enterprise T1003.003 NTDS HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).13
enterprise T1057 Process Discovery HAFNIUM has used tasklist to enumerate processes.5
enterprise T1018 Remote System Discovery HAFNIUM has enumerated domain controllers using net group "Domain computers" and nltest /dclist.5
enterprise T1593 Search Open Websites/Domains -
enterprise T1593.003 Code Repositories HAFNIUM has discovered leaked corporate credentials on public repositories including GitHub.3
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.416753
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 HAFNIUM has used rundll32 to load malicious DLLs.1
enterprise T1016 System Network Configuration Discovery HAFNIUM has collected IP information via IPInfo.5
enterprise T1016.001 Internet Connection Discovery HAFNIUM has checked for network connectivity from a compromised host using ping, including attempts to contact google[.]com.5
enterprise T1033 System Owner/User Discovery HAFNIUM has used whoami to gather user information.5
enterprise T1199 Trusted Relationship HAFNIUM has used stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to access downstream customer environments.3
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.001 Application Access Token HAFNIUM has abused service principals with administrative permissions for data exfiltration.3
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.6
enterprise T1078.004 Cloud Accounts HAFNIUM has abused service principals in compromised environments to enable data exfiltration.3

Software

ID Name References Techniques
S0073 ASPXSpy 1 Web Shell:Server Software Component
S0020 China Chopper 165 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S1155 Covenant HAFNIUM used Covenant for command and control following compromise of internet-facing servers.43 Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Non-Standard Port Regsvr32:System Binary Proxy Execution InstallUtil:System Binary Proxy Execution Mshta:System Binary Proxy Execution System Information Discovery Windows Management Instrumentation
S0357 Impacket 7 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1011 Tarrask 7 Token Impersonation/Theft:Access Token Manipulation Windows Command Shell:Command and Scripting Interpreter Hide Artifacts Match Legitimate Resource Name or Location:Masquerading Masquerade Task or Service:Masquerading Modify Registry Scheduled Task:Scheduled Task/Job

References

  1. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. 

  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  3. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025. 

  4. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  5. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  6. Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021. 

  7. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. 

  8. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.