Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ HAFNIUM

🌐HAFNIUM

🌐 HAFNIUM is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 44 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0125) ↗
14Use cases
0Articles
44Techniques
0IOCs

About this actor (MITRE)

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly oper

Known aliases

HAFNIUMOperation Exchange MarauderSilk Typhoon

Top techniques

T1003.001 · LSASS MemoryT1003.003 · NTDST1005 · Data from Local System

All other tracked techniques

T1016 · System Network Configuration DiscoveryT1016.001 · Internet Connection DiscoveryT1018 · Remote System DiscoveryT1033 · System Owner/User DiscoveryT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1068 · Exploitation for Privilege EscalationT1071.001 · Web ProtocolsT1078.003 · Local AccountsT1078.004 · Cloud AccountsT1083 · File and Directory DiscoveryT1095 · Non-Application Layer ProtocolT1098 · Account ManipulationT1105 · Ingress Tool TransferT1110.003 · Password SprayingT1114.002 · Remote Email CollectionT1119 · Automated CollectionT1132.001 · Standard EncodingT1136.002 · Domain AccountT1190 · Exploit Public-Facing ApplicationT1199 · Trusted RelationshipT1213.002 · SharepointT1218.011 · Rundll32T1505.003 · Web ShellT1530 · Data from Cloud StorageT1550.001 · Application Access TokenT1555.006 · Cloud Secrets Management StoresT1560.001 · Archive via UtilityT1564.001 · Hidden Files and DirectoriesT1567.002 · Exfiltration to Cloud StorageT1583.003 · Virtual Private ServerT1583.005 · BotnetT1583.006 · Web ServicesT1584.005 · BotnetT1589.002 · Email AddressesT1590 · Gather Victim Network InformationT1590.005 · IP AddressesT1592.004 · Client ConfigurationsT1593.003 · Code RepositoriesT1685.005 · Clear Windows Event Logs

Detection use cases (14)

HAFNIUM/Silk Typhoon ProxyLogon webshell drop via Exchange w3wp.exe AI · profile SΣDD HAFNIUM/Silk Typhoon webshell-to-credential-theft chain (w3wp.exe spawning recon, LSASS dump, NTDS staging) AI · profile SDD Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match