TIARAS - HAFNIUM

Threat Actor Profile

High APT

Description

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)

Confidence Score

90%

Known Aliases

HAFNIUM Operation Exchange Marauder Silk Typhoon

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (44)

T1005 - Data from Local System

Collection

T1114.002 - Remote Email Collection

Collection

T1119 - Automated Collection

Collection

T1213.002 - Sharepoint

Collection

T1530 - Data from Cloud Storage

Collection

T1560.001 - Archive via Utility

Collection

T1071.001 - Web Protocols

Command and Control

T1095 - Non-Application Layer Protocol

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1132.001 - Standard Encoding

Command and Control

T1003.001 - LSASS Memory

Credential Access

T1003.003 - NTDS

Credential Access

T1110.003 - Password Spraying

Credential Access

T1555.006 - Cloud Secrets Management Stores

Credential Access

T1070.001 - Clear Windows Event Logs

Defense Evasion

T1078.003 - Local Accounts

Defense Evasion

T1078.004 - Cloud Accounts

Defense Evasion

T1218.011 - Rundll32

Defense Evasion

T1550.001 - Application Access Token

Defense Evasion

T1564.001 - Hidden Files and Directories

Defense Evasion

T1016 - System Network Configuration Discovery

Discovery

T1016.001 - Internet Connection Discovery

Discovery

T1018 - Remote System Discovery

Discovery

T1033 - System Owner/User Discovery

Discovery

T1057 - Process Discovery

Discovery

T1083 - File and Directory Discovery

Discovery

T1059.001 - PowerShell

Execution

T1059.003 - Windows Command Shell

Execution

T1567.002 - Exfiltration to Cloud Storage

Exfiltration

T1190 - Exploit Public-Facing Application

Initial Access

T1199 - Trusted Relationship

Initial Access

T1098 - Account Manipulation

Persistence

T1136.002 - Domain Account

Persistence

T1505.003 - Web Shell

Persistence

T1068 - Exploitation for Privilege Escalation

Privilege Escalation

T1589.002 - Email Addresses

Reconnaissance

T1590 - Gather Victim Network Information

Reconnaissance

T1590.005 - IP Addresses

Reconnaissance

T1592.004 - Client Configurations

Reconnaissance

T1593.003 - Code Repositories

Reconnaissance

T1583.003 - Virtual Private Server

Resource Development

T1583.005 - Botnet

Resource Development

T1583.006 - Web Services

Resource Development

T1584.005 - Botnet

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['HAFNIUM', 'Operation Exchange Marauder', 'Silk Typhoon'],
 'created': '2021-03-03T19:40:47.280Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely '
                'state-sponsored cyber espionage group operating out of China '
                'that has been active since at least January 2021. '
                '[HAFNIUM](https://attack.mitre.org/groups/G0125) primarily '
                'targets entities in the US across a number of industry '
                'sectors, including infectious disease researchers, law firms, '
                'higher education institutions, defense contractors, policy '
                'think tanks, and NGOs. '
                '[HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted '
                'remote management tools and cloud software for intial access '
                'and has demonstrated an ability to quickly operationalize '
                'exploits for identified vulnerabilities in edge '
                'devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: '
                'Volexity Exchange Marauder March 2021)(Citation: Microsoft '
                'Silk Typhoon MAR 2025)',
 'external_references': [{'external_id': 'G0125',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0125'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)(Citation: '
                                         'Microsoft Silk Typhoon MAR 2025)',
                          'source_name': 'Silk Typhoon'},
                         {'description': '(Citation: Volexity Exchange '
                                         'Marauder March 2021)',
                          'source_name': 'Operation Exchange Marauder'},
                         {'description': 'Gruzweig, J. et al. (2021, March 2). '
                                         'Operation Exchange Marauder: Active '
                                         'Exploitation of Multiple Zero-Day '
                                         'Microsoft Exchange Vulnerabilities. '
                                         'Retrieved March 3, 2021.',
                          'source_name': 'Volexity Exchange Marauder March '
                                         '2021',
                          'url': 'https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft Threat Intelligence . '
                                         '(2025, March 5). Silk Typhoon '
                                         'targeting IT supply chain. Retrieved '
                                         'March 20, 2025.',
                          'source_name': 'Microsoft Silk Typhoon MAR 2025',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/'},
                         {'description': 'MSTIC. (2021, March 2). HAFNIUM '
                                         'targeting Exchange Servers with '
                                         '0-day exploits. Retrieved March 3, '
                                         '2021.',
                          'source_name': 'Microsoft HAFNIUM March 2020',
                          'url': 'https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'}],
 'id': 'intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87',
 'modified': '2025-03-25T18:04:13.368Z',
 'name': 'HAFNIUM',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Daniyal Naeem, BT Security',
                          'Matt Brenton, Zurich Insurance Group',
                          'Mayuresh Dani, Qualys',
                          'Harshal Tupsamudre, Qualys',
                          'Vinayak Wadhwa, SAFE Security'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}

Quick Actions

Related TTPs (44)

Data from Local System
Collection

Remote Email Collection
Collection

Automated Collection
Collection

Sharepoint
Collection

Data from Cloud Storage
Collection

View All 44 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (44)

T1005 - Data from Local System

T1114.002 - Remote Email Collection

T1119 - Automated Collection

T1213.002 - Sharepoint

T1530 - Data from Cloud Storage

T1560.001 - Archive via Utility

T1071.001 - Web Protocols

T1095 - Non-Application Layer Protocol

T1105 - Ingress Tool Transfer

T1132.001 - Standard Encoding

T1003.001 - LSASS Memory

T1003.003 - NTDS

T1110.003 - Password Spraying

T1555.006 - Cloud Secrets Management Stores

T1070.001 - Clear Windows Event Logs

T1078.003 - Local Accounts

T1078.004 - Cloud Accounts

T1218.011 - Rundll32

T1550.001 - Application Access Token

T1564.001 - Hidden Files and Directories

T1016 - System Network Configuration Discovery

T1016.001 - Internet Connection Discovery

T1018 - Remote System Discovery

T1033 - System Owner/User Discovery

T1057 - Process Discovery

T1083 - File and Directory Discovery

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1567.002 - Exfiltration to Cloud Storage

T1190 - Exploit Public-Facing Application

T1199 - Trusted Relationship

T1098 - Account Manipulation

T1136.002 - Domain Account

T1505.003 - Web Shell

T1068 - Exploitation for Privilege Escalation

T1589.002 - Email Addresses

T1590 - Gather Victim Network Information

T1590.005 - IP Addresses

T1592.004 - Client Configurations

T1593.003 - Code Repositories

T1583.003 - Virtual Private Server

T1583.005 - Botnet

T1583.006 - Web Services

T1584.005 - Botnet

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (44)

Please wait…