{
	"id": "0b56ac89-dfe3-4485-a1df-10597879415c",
	"created_at": "2026-04-06T00:14:23.343628Z",
	"updated_at": "2026-04-10T13:11:55.076385Z",
	"deleted_at": null,
	"sha1_hash": "6b9204f78f97dfc361add5f608256efda1c6838c",
	"title": "You Don't Know the HAFNIUM of it...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67482,
	"plain_text": "You Don't Know the HAFNIUM of it...\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 15:48:44 UTC\r\nIf you want to get access to Cyborg Security's Community Defense Measures for the HAFNIUM\r\nattack, including our free detection content, click here or scroll down to the \"Detection Content\"\r\nsection! Keep reading for an overview of the attack and what we know so far!\r\nAfter little more than a month of reprieve, the infosec community is, once again, back into it. This time the target,\r\nthough, is even more prevalent than SolarWinds' Orion. Now the target is Microsoft's Exchange, and the exploited\r\nvulnerability allows for remote code execution (or RCE). We've distilled down the facts of the HAFNIUM attack\r\nto answer the most important questions.\r\nTable of Contents\r\n1. What We Know So Far about HAFNIUM\r\n2. Who Are They?\r\n3. Where is HAFNIUM From?\r\n4. Who is Being Targeted?\r\n5. What Are The Actors Doing?\r\n6. HAFNIUM MITRE ATT\u0026CK Techniques\r\n7. When Did All This Happen?\r\n8. What Should I Do?\r\n9. Detection Content\r\nWhat We Know So Far about HAFNIUM\r\nWho Are They?\r\nOn 2 March 2021, Microsoft released a blog article detailing a new threat actor it had dubbed HAFNIUM.\r\nMicrosoft, the blog identified, has observed the actor exploiting several 0-day vulnerabilities.\r\nMicrosoft also highlighted that the HAFNIUM group had previously targeted other organizations. The group,\r\nMicrosoft identified, has focused on the exploitation of Internet-facing services in the past.\r\nLater that same day, the company Volexity also released a blog article. In their article, they identified that they\r\nobserved the attacks beginning as early as 3 January 2021.\r\nHot on the heels of the Microsoft and Volexity blogs, other vendors began to contribute information. On 4 March\r\n2021, FireEye's Mandiant Intelligence release their own blog post. In it, FireEye identified that they tracked the\r\nactivity under three separate activity clusters:\r\nhttps://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/\r\nPage 1 of 4\n\nUNC2639\r\nUNC2640\r\nUNC2643\r\nOne particularly important point in this blog article is that FireEye detected this activity all the way back in\r\nJanuary 2021. The article also highlighted various TTPs and tools the actors used. This included:\r\nASPXSPY\r\nCovenant\r\nChina Chopper\r\nNishang\r\nPowerCat\r\nCobalt Strike\r\nThey also described the actors' method of deploying webshells on compromised Exchange servers. These\r\nwebshells were unique though. The webshells detected the presence of specific security products and warn the\r\nactors. The security products it detected included FireEye, Carbon Black and Crowdstrike. They described the\r\nactors technique of dropping more complex webshells over time. This appears to be to avoid detection.\r\nIn time, other vendors have also come forward, including Symantec. They identified that they track HAFNIUM,\r\nunder the name Ant.\r\nWhere is HAFNIUM From?\r\nAttribution can be a tricky topic in cyber threat intelligence. Despite this fact, several sources, including\r\nMicrosoft, have indicated that the HAFNIUM group is \"... state-sponsored and operating out of China ...\"\r\nWho is Being Targeted?\r\nAt this point, the targeting of HAFNIUM appears opportunistic. Indeed, since Microsoft released their initial blog,\r\nthe actors have \"... stepped up attacks on any vulnerable, unpatched Exchange servers (2013, 2016, and 2019)\r\nworldwide.\" The HAFNIUM group, though, has targeted organizations in the past.\r\nAs both Microsoft and FireEye mentioned, HAFNIUM is a group with a bit of track record. Microsoft identified\r\nthat they have targeted several industries in the past. These included\r\nInfectious disease research\r\nLaw firms\r\nUniversities\r\nDefense contractors\r\nThink tanks\r\nNon-Governmental Organizations (NGOs)\r\nFireEye also mentioned that they had observed several industries affected by the new attack, including\r\nRetailers\r\nLocal Governments\r\nhttps://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/\r\nPage 2 of 4\n\nUniversities\r\nEngineering Firms\r\nThey also identified that there is possible related activity observed in Asia as well\r\nFederal governments\r\nTelecommunications providers\r\nWhat Are The Actors Doing?\r\nSince early January, the actors have been exploiting several 0-day vulnerabilities in Exchange. The vulnerabilities,\r\nwhich affect on-premise versions of Microsoft Exchange only, are:\r\nCVE-2021-26855\r\nCVE-2021-26857\r\nCVE-2021-26858\r\nCVE-2021-27065\r\nOnce the actors establish a foothold in the environment, they will deploy one or more web shells. These are small\r\nbits of code that gives the actors control over the system. Once in the environment, the actors use a variety of\r\ntechniques.\r\nHAFNIUM MITRE ATT\u0026CK Techniques\r\nT1003.001 - OS Credential Dumping: LSASS Memory\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nT1114.001 - Email Collection: Local Email Collection\r\nT1136 - Create Account\r\nT1003.003 - OS Credential Dumping: NTDS\r\nT1021.002 - Remote Services: SMB/Windows Admin Shares\r\nT1005 - Data from Local System\r\nT1027 - Obfuscated Files or Information\r\nT1046 - Network Service Scanning\r\nT1059 - Command and Scripting Interpreter\r\nT1070 - Indicator Removal on Host\r\nT1071 - Application Layer Protocol\r\nT1074.002 - Data Staged: Remote Data Staging\r\nhttps://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/\r\nPage 3 of 4\n\nT1083 - File and Directory Discovery\r\nT1110 - Brute Force\r\nT1190 - Exploit Public-Facing Application\r\nT1505 - Server Software Component\r\nT1560.001 - Archive Collected Data: Archive via Utility\r\nT1589.002 - Gather Victim Identity Information: Email Addresses\r\nT1590.002 - Gather Victim Network Information: DNS\r\nWhen Did All This Happen?\r\nReporting from both FireEye and Volexity state that the attacks were first observed in January. It is unknown\r\nwhether this was the start of the campaign.\r\nThe bulk of the campaign appears to have taken place over February and March 2021.\r\nWhat Should I Do?\r\nWhat you should do next will likely depend on a few factors.\r\nCyborg Security has released new advanced detection content through its Community Defense Measures\r\n(CDM) project. This content will alert organization to malicious behaviors related to the attacks.\r\nMicrosoft has released a tool that will scan Exchange logs for suspicious and malicious modifications.\r\nMicrosoft has also released security updates for Microsoft Exchange\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) has also released Alert AA21-062A. An\r\nimportant note about this is that CISA warns organizations: \"... [if] your organization [sees] evidence of\r\ncompromise, your incident response should begin with conducting forensic analysis to collect artifacts and\r\nperform triage ....\"\r\nThe US' Department of Homeland Security also issued Emergency Directive 21-02.\r\nDetection Content\r\nTo get Cyborg Security's HAFNIUM Community Defense Measures, click the button below. No sign up\r\nrequired!\r\n[Image: FREE DETECTION CONTENT]\r\nSource: https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/\r\nhttps://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/"
	],
	"report_names": [
		"you-dont-know-the-hafnium-of-it"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b9204f78f97dfc361add5f608256efda1c6838c.pdf",
		"text": "https://archive.orkl.eu/6b9204f78f97dfc361add5f608256efda1c6838c.txt",
		"img": "https://archive.orkl.eu/6b9204f78f97dfc361add5f608256efda1c6838c.jpg"
	}
}