Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Axiom

🇨🇳Axiom

🇨🇳 Axiom is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 16 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0001) ↗
14Use cases
0Articles
16Techniques
0IOCs

About this actor (MITRE)

[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)

Known aliases

AxiomGroup 72

Top techniques

T1001.002 · SteganographyT1003 · OS Credential DumpingT1005 · Data from Local System

All other tracked techniques

T1021.001 · Remote Desktop ProtocolT1078 · Valid AccountsT1189 · Drive-by CompromiseT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client ExecutionT1546.008 · Accessibility FeaturesT1553 · Subvert Trust ControlsT1560 · Archive Collected DataT1563.002 · RDP HijackingT1566 · PhishingT1583.002 · DNS ServerT1583.003 · Virtual Private ServerT1584.005 · Botnet

Detection use cases (14)

Axiom (Group 72) sticky-keys / accessibility-feature debugger backdoor (Hikit-style RDP foothold) AI · profile SΣ Axiom RDP session hijacking via SYSTEM-launched tscon.exe (T1563.002) AI · profile SΣ 1Password impossible-travel sign-in MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match Authentication not detected on admin API endpoint MITRE match AWS Console login without MFA + impossible travel MITRE match AWS S3 bucket ACL / policy made public MITRE match Credential-stuffing attack on application MITRE match CrowdStrike Falcon alert ingested MITRE match Crypto-wallet file/keystore access by non-wallet process MITRE match Excessive resource consumption of third-party API MITRE match