| SYMBOL | COMMON_NAME | aka. SYNONYMS |
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
| 2025-03-24
⋅
SYGNIA
⋅
Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation CHINACHOPPER reGeorg |
| 2024-05-23
⋅
Palo Alto Networks Unit 42
⋅
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter CL-STA-0043 |
| 2024-04-19
⋅
⋅
Spiegel Online
⋅
VW-Konzern wurde jahrelang ausspioniert – von China? CHINACHOPPER PlugX |
| 2023-06-16
⋅
Palo Alto Networks: Cortex Threat Research
⋅
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa CHINACHOPPER Ladon Yasso CL-STA-0043 |
| 2023-02-13
⋅
AhnLab
⋅
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign Godzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit |
| 2022-12-24
⋅
Medium (@DCSO_CyTec)
⋅
APT41 — The spy who failed to encrypt me CHINACHOPPER |
| 2022-09-29
⋅
Symantec
⋅
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 Witchetty |
| 2022-07-26
⋅
Microsoft
⋅
Malicious IIS extensions quietly open persistent backdoors into servers CHINACHOPPER MimiKatz |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
| 2022-06-15
⋅
Security Joes
⋅
Backdoor via XFF: Mysterious Threat Actor Under Radar CHINACHOPPER |
| 2022-04-28
⋅
PWC
⋅
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
| 2022-01-27
⋅
JSAC 2021
⋅
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
| 2021-11-03
⋅
Cisco Talos
⋅
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk Babuk CHINACHOPPER |
| 2021-10-07
⋅
Microsoft
⋅
Microsoft Digital Defense Report - October 2021 APT15 APT31 APT40 APT5 Earth Lusca HAFNIUM |
| 2021-09-03
⋅
FireEye
⋅
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers CHINACHOPPER HTran |
| 2021-08-03
⋅
Cybereason
⋅
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
| 2021-07-20
⋅
Government points finger at China over cyber attacks APT40 HAFNIUM |
| 2021-07-20
⋅
Secureworks
⋅
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran CHINACHOPPER MimiKatz RGDoor |
| 2021-07-19
⋅
Minister for Foreign Affairs of Australia
⋅
Australia joins international partners in attribution of malicious cyber activity to China APT31 APT40 HAFNIUM |
| 2021-07-19
⋅
GOV.UK
⋅
UK and allies hold Chinese state responsible for a pervasive pattern of hacking APT31 APT40 HAFNIUM |
| 2021-06-10
⋅
ESET Research
⋅
BackdoorDiplomacy: Upgrading from Quarian to Turian CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
| 2021-05-07
⋅
Cisco Talos
⋅
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike Lemon Duck |
| 2021-05-07
⋅
SophosLabs Uncut
⋅
New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike Lemon Duck |
| 2021-05-06
⋅
Trend Micro
⋅
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
| 2021-05-05
⋅
Symantec
⋅
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques CHINACHOPPER |
| 2021-04-27
⋅
Trend Micro
⋅
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
| 2021-04-16
⋅
Trend Micro
⋅
Could the Microsoft Exchange breach be stopped? CHINACHOPPER |
| 2021-04-15
⋅
Palo Alto Networks Unit 42
⋅
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials CHINACHOPPER |
| 2021-03-26
⋅
Imperva
⋅
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures CHINACHOPPER |
| 2021-03-25
⋅
Microsoft
⋅
Analyzing attacks taking advantage of the Exchange Server vulnerabilities CHINACHOPPER |
| 2021-03-25
⋅
Microsoft
⋅
Web Shell Threat Hunting with Azure Sentinel CHINACHOPPER |
| 2021-03-21
⋅
Twitter (@CyberRaiju)
⋅
Twitter Thread with analysis of .NET China Chopper CHINACHOPPER |
| 2021-03-19
⋅
Bundesamt für Sicherheit in der Informationstechnik
⋅
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) CHINACHOPPER MimiKatz |
| 2021-03-15
⋅
Trustwave
⋅
HAFNIUM, China Chopper and ASP.NET Runtime CHINACHOPPER |
| 2021-03-14
⋅
DAILY BEAST
⋅
How China’s Devastating Microsoft Hack Puts Us All at Risk HAFNIUM |
| 2021-03-11
⋅
Palo Alto Networks Unit 42
⋅
Microsoft Exchange Server Attack Timeline CHINACHOPPER |
| 2021-03-11
⋅
DEVO
⋅
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service CHINACHOPPER MimiKatz |
| 2021-03-11
⋅
Cyborg Security
⋅
You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
| 2021-03-10
⋅
DomainTools
⋅
Examining Exchange Exploitation and its Lessons for Defenders CHINACHOPPER |
| 2021-03-10
⋅
Lemon's InfoSec Ramblings
⋅
Microsoft Exchange & the HAFNIUM Threat Actor CHINACHOPPER |
| 2021-03-10
⋅
PICUS Security
⋅
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers CHINACHOPPER |
| 2021-03-09
⋅
Microsoft
⋅
Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 HAFNIUM |
| 2021-03-09
⋅
Red Canary
⋅
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm CHINACHOPPER |
| 2021-03-09
⋅
PRAETORIAN
⋅
Reproducing the Microsoft Exchange Proxylogon Exploit Chain CHINACHOPPER |
| 2021-03-09
⋅
Palo Alto Networks Unit 42
⋅
Remediation Steps for the Microsoft Exchange Server Vulnerabilities CHINACHOPPER |
| 2021-03-09
⋅
YouTube (John Hammond)
⋅
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange CHINACHOPPER |
| 2021-03-08
⋅
Symantec
⋅
How Symantec Stops Microsoft Exchange Server Attacks CHINACHOPPER MimiKatz |
| 2021-03-08
⋅
Palo Alto Networks Unit 42
⋅
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells CHINACHOPPER |
| 2021-03-07
⋅
TRUESEC
⋅
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM CHINACHOPPER |
| 2021-03-06
⋅
Nextron Systems
⋅
Scan for HAFNIUM Exploitation Evidence with THOR Lite HAFNIUM |
| 2021-03-06
⋅
Github (microsoft)
⋅
Security scripts HAFNIUM |
| 2021-03-05
⋅
Microsoft
⋅
Exchange Server IIS dropping web shells and other artifacts HAFNIUM |
| 2021-03-05
⋅
Huntress Labs
⋅
Operation Exchange Marauder CHINACHOPPER |
| 2021-03-05
⋅
Github (cert-lv)
⋅
Detect webshells dropped on Microsoft Exchange servers after 0day compromises HAFNIUM |
| 2021-03-05
⋅
Pastebin (MALWAREQUINN)
⋅
Hafnium Exchange Vuln Detection - KQL HAFNIUM |
| 2021-03-05
⋅
Wired
⋅
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims CHINACHOPPER |
| 2021-03-04
⋅
Huntress Labs
⋅
Operation Exchange Marauder CHINACHOPPER |
| 2021-03-04
⋅
CrowdStrike
⋅
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits CHINACHOPPER HAFNIUM |
| 2021-03-04
⋅
Elastic
⋅
Detection and Response for HAFNIUM Activity HAFNIUM |
| 2021-03-04
⋅
FireEye
⋅
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
CISA
⋅
Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities HAFNIUM |
| 2021-03-03
⋅
Huntress Labs
⋅
Rapid Response: Mass Exploitation of On-Prem Exchange Servers CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
Huntress Labs
⋅
Mass exploitation of on-prem Exchange servers :( CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
MITRE
⋅
HAFNIUM CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
splunk
⋅
Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk HAFNIUM |
| 2021-03-02
⋅
Microsoft
⋅
Multiple Security Updates Released for Exchange Server – updated March 8, 2021 HAFNIUM |
| 2021-03-02
⋅
Microsoft
⋅
HAFNIUM targeting Exchange Servers with 0-day exploits CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Rapid7 Labs
⋅
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Twitter (@ESETresearch)
⋅
Tweet on Exchange RCE CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Volexity
⋅
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities CHINACHOPPER HAFNIUM |
| 2021-01-29
⋅
Trend Micro
⋅
Chopper ASPX web shell used in targeted attack CHINACHOPPER MimiKatz |
| 2021-01-01
⋅
DomainTools
⋅
Conceptualizing a Continuum of Cyber Threat Attribution CHINACHOPPER SUNBURST |
| 2020-11-27
⋅
PTSecurity
⋅
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
| 2020-10-01
⋅
US-CERT
⋅
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
| 2020-09-15
⋅
US-CERT
⋅
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten |
| 2020-09-15
⋅
US-CERT
⋅
Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER |
| 2020-07-21
⋅
Department of Justice
⋅
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research CHINACHOPPER BRONZE SPRING |
| 2020-02-21
⋅
ADEO DFIR
⋅
APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
| 2020-01-01
⋅
FireEye
⋅
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
| 2019-12-12
⋅
Microsoft
⋅
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell |
| 2019-09-23
⋅
MITRE
⋅
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
| 2019-08-27
⋅
Cisco Talos
⋅
China Chopper still active 9 years later CHINACHOPPER |
| 2019-08-19
⋅
FireEye
⋅
GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON |
| 2019-06-25
⋅
Cybereason
⋅
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
| 2019-05-28
⋅
Palo Alto Networks Unit 42
⋅
Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER HyperSSL |
| 2019-01-01
⋅
MITRE
⋅
Tool description: China Chopper CHINACHOPPER |
| 2018-03-16
⋅
FireEye
⋅
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40 |
| 2017-12-20
⋅
CrowdStrike
⋅
An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER |
| 2013-08-07
⋅
FireEye
⋅
Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER |