>samit_hota
Back to adversary profiles
G0125HighActive

HAFNIUM (G0125): A Profile of China's Elite Cyber Espionage Group

Samit Hota·
Suspected Origin
China
Motivation
Espionage
Aliases
Operation Exchange Marauder, Silk Typhoon
Target Sectors
Infectious Disease Researchers, Law Firms, Higher Education, Defense Contractors, Policy Think Tanks, NGOs, Government, Telecommunications, Critical Infrastructure, Cloud Service Providers, Supply Chain
Associated Malware
Tarrask, PlugX, Whitebird, China Chopper, SIMPLESEESHARP, SPORTSBALL, ASPXSpy
#threat-actor#g0125

Overview

HAFNIUM (MITRE ATT&CK ID G0125), also known by aliases such as Operation Exchange Marauder and Silk Typhoon, is a sophisticated state-sponsored cyber espionage group operating out of China. Active since at least January 2021, HAFNIUM has consistently demonstrated a high level of operational capability, particularly in its ability to rapidly weaponize and deploy exploits for newly disclosed vulnerabilities in internet-facing systems. The group’s primary motivation is intelligence gathering, focusing on sensitive communications, intellectual property, and strategic information from high-value targets globally.

While HAFNIUM operates under the likely sponsorship of China’s Ministry of State Security (PRC MSS), its technical infrastructure often leverages leased virtual private servers (VPS) primarily located in the United States, a tactic that helps obfuscate its true origin and command-and-control (C2) infrastructure. The group is closely linked with other well-known Chinese APTs, notably APT40, underscoring a broader, coordinated cyber espionage effort.

HAFNIUM’s targeting is strategic and widespread, extending beyond traditional government and defense sectors. Historically, their focus has been on entities in the United States, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental organizations (NGOs). However, their scope of operations is global, impacting organizations across North America, Europe, East Asia, and the Middle East, with increasing attention on critical infrastructure, cloud service providers, and companies with complex supply chains. This broad targeting, combined with an opportunistic approach to exploiting widely deployed software, means HAFNIUM’s campaigns often result in mass compromises, blurring the lines between targeted APT operations and large-scale intrusions.

Tactics & Techniques

HAFNIUM’s tradecraft is characterized by its opportunism, speed, and a preference for exploiting vulnerabilities in internet-facing servers to gain initial access. This group excels at quickly operationalizing newly identified zero-day vulnerabilities in edge devices. The most prominent example is their extensive exploitation of four zero-day vulnerabilities in on-premises Microsoft Exchange Servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), collectively known as “ProxyLogon”. This exploit chain allowed them to achieve remote code execution without authentication, establish persistence, and exfiltrate data on a massive scale.

Once initial access is established, HAFNIUM focuses on maintaining persistence and expanding its foothold. They frequently deploy web shells, such as China Chopper, SIMPLESEESHARP, SPORTSBALL, and ASPXSpy, to execute commands and maintain access to compromised servers. For command and control, HAFNIUM often leverages compromised servers as C2 infrastructure and utilizes cloud-based C2 and dynamically registered domains to evade detection. They’ve also been observed using legitimate open-source C2 frameworks like Covenant. Communication with web shells typically occurs over standard web protocols (HTTP/HTTPS) to blend in with legitimate network traffic.

Their post-exploitation activities are methodical and aimed at intelligence collection. HAFNIUM employs various techniques for credential access, including dumping LSASS process memory using legitimate tools like ProcDump, and stealing copies of the Active Directory database (NTDS.DIT). For lateral movement, they utilize stolen credentials, legitimate administrative functionalities, and tools like PsExec to move across the network. Data collection involves exporting mailbox data using Exchange PowerShell snap-ins, and gathering emails, attachments, contacts, and internal documents of strategic intelligence value. Prior to exfiltration, stolen data is often compressed using archiving utilities such as 7-Zip and WinRAR, then exfiltrated to file-sharing sites like MEGA or via MSGraph for cloud environments like Office 365, OneDrive, and SharePoint. HAFNIUM has also been seen performing reconnaissance by interacting with victim Office 365 tenants, even if not always successful in full compromise, to gain environmental insights.

Notable Campaigns

The 2021 Microsoft Exchange Server exploitation campaign, often referred to as “Operation Exchange Marauder” or “ProxyLogon,” remains HAFNIUM’s most widely recognized and impactful operation. This campaign, detected in early 2021, leveraged multiple zero-day vulnerabilities to gain access to tens of thousands of on-premises Exchange servers globally, allowing for persistent access and subsequent data exfiltration. The widespread nature of these attacks necessitated emergency security updates from Microsoft and drew condemnation from international governments, including the U.S., EU, and NATO.

Following the initial wave of Exchange exploitation, HAFNIUM continued to engage in the exploitation of unpatched Microsoft Exchange servers throughout 2021 and 2022, alongside numerous copycat actors who capitalized on the disclosed vulnerabilities.

In 2022, HAFNIUM was linked to the Tarrask malware, a defense evasion tool used in attacks targeting telecommunications, internet service providers, and data service companies from August 2021 to February 2022. More recently, around 2023-2024, HAFNIUM shifted some of its cyber activity towards targeting internet-connected IP infrastructure, including data centers and repositories. In 2025, the group reportedly exploited a security flaw in SharePoint, affecting thousands of servers and further demonstrating their continuous search for and exploitation of vulnerabilities in widely used enterprise software. Recent trends also indicate HAFNIUM’s interest in leveraging SEO poisoning, cloud service abuse, and compromising supply chains and IoT networks for initial access and persistent intelligence gathering.

Associated Malware & Tools

HAFNIUM is notable for its pragmatic approach to tooling, often favoring legitimate system utilities and open-source tools to minimize development costs and reduce detection by signature-based defenses. However, they do employ custom malware and a range of purpose-built web shells.

Key malware and web shells associated with HAFNIUM include:

  • Tarrask: A custom defense evasion malware designed to create scheduled tasks for persistence.
  • PlugX: A well-known remote access Trojan (RAT) often associated with Chinese state-sponsored groups.
  • Whitebird: Another custom backdoor or remote access tool.
  • Web Shells: These are critical for persistence and command execution. HAFNIUM has extensively used Backdoor.Hafnium (a detection name), China Chopper, SIMPLESEESHARP, SPORTSBALL, and ASPXSpy.

Beyond these, HAFNIUM makes extensive use of publicly available and legitimate administrative tools:

  • ProcDump: Used for dumping LSASS process memory to harvest credentials.
  • 7-Zip & WinRAR: Utilized for compressing stolen data prior to exfiltration.
  • PsExec: Employed for lateral movement within compromised networks.
  • Nishang & PowerCat: PowerShell-based open-source tools used to establish reverse shells for C2 and data exfiltration.
  • Covenant: An open-source C2 framework leveraged for command and control.
  • Impacket: A collection of Python classes for working with network protocols, often used for network reconnaissance and lateral movement.

The reliance on a blend of custom implants, common web shells, and dual-use tools highlights HAFNIUM’s adaptive and resourceful nature.

Current Status

HAFNIUM remains an active and evolving threat, consistently demonstrating its capability to identify and exploit vulnerabilities across a broad spectrum of internet-facing systems. Reports in early 2026 continue to reference HAFNIUM’s ongoing operations and its impact on the threat landscape. The group’s focus continues to be global cyber espionage, with a strategic emphasis on high-value intelligence.

Its targeting scope for 2025-2026 remains broad, prioritizing defense, policy institutes, higher education, medical research, and other sectors rich in proprietary or strategic data. There’s an observed trend towards increased attention on industries with essential infrastructure and IoT dependencies, indicating an adaptive strategy to broaden its access and exfiltration capabilities within complex supply chains. The group’s ability to quickly weaponize new exploits and adapt its tactics, techniques, and procedures (TTPs) suggests that HAFNIUM will continue to pose a significant threat to organizations worldwide, particularly those with publicly exposed applications and services. Organizations must maintain rigorous patching schedules, robust monitoring for web shells and post-exploitation activity, and a strong focus on identity and access management to defend against this persistent and sophisticated actor.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call