{ "id": "ea0b0123-3344-4654-8bc2-a6be67b3570f", "created_at": "2026-04-06T00:11:57.431762Z", "updated_at": "2026-04-10T13:11:23.096214Z", "deleted_at": null, "sha1_hash": "ea84bb7ffe4ef27847569e0f6d5b63f2e3eb2b14", "title": "Scan for HAFNIUM Exploitation Evidence with THOR Lite", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43601, "plain_text": "Scan for HAFNIUM Exploitation Evidence with THOR Lite\r\nBy Florian Roth\r\nPublished: 2026-03-30 · Archived: 2026-04-05 14:40:00 UTC\r\nExclude Mailbox Folders\r\nWe recommend excluding the mailboxes from the scan by adding the following lines to the file ./config/directory-excludes.cfg\r\n\\\\(MDBDATA|Mailbox|Mailbox Database)\\\\\r\nScanning this directory would just slow down the scan and – according to all available reports – wouldn’t be\r\nnecessary to produce relevant findings.\r\nExchange on Drives Other than C:\r\nIf your Exchange server isn’t installed on drive C:, use the “–allhds” flag.\r\nthor64-lite.exe --allhds\r\nOtherwise just run a standard scan without flags.\r\nAntivirus Exclusion\r\nSince THOR Lite doesn’t provide modules for “Rootkit” detection or problematic modules like “Mutex” or\r\n“NamedPipes”, you shouldn’t have problems scanning systems without an Antivirus exclusion filter.\r\nAll YARA rules are included in a compressed and encrypted form so that an Antivirus shouldn’t trigger on clear\r\ntext signatures as it is the case for most of the other YARA scanners including LOKI.\r\nHowever, since some realtime engines check every file that THOR Lite has “touched” during its scan, an\r\nAntivirus exclusion can increase the scan speed by ~30% and avoid any interference (blocked access to some files\r\netc.).\r\nScanning a Subset Only\r\nYou could run a scan on a subset only and skip other system folders. If you have a good picture of the location of\r\nthe Exchange folder and all relevant sub directories (log files, owa web service folders), you could run a selective\r\nscan using the following command.\r\nthor64-lite.exe -a Filescan -p \"C:\\Program Files\\Microsoft\\Exchange Server\"\r\nhttps://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite\r\nPage 1 of 2\n\nHowever, we do not know if all relevant forensic evidence can be found in that folder.\r\nIntense Mode\r\nDon’t use the “–intense” flag or use it only in cases in which it is okay for the scan to take 12+ hours to complete\r\nand system stability isn’t a concern – which is almost never the case. The “–intense” flag is meant for lab\r\nscenarios or use cases in which a maximum detection rate is very important. Warning: That flag disables all\r\nsystem resource monitoring safe guards that we’ve integrated into THOR.\r\nLab Scans\r\nTest the scan on samples that you’ve collected using the following commands:\r\nthor64-lite.exe -a Filescan -p D:\\collected-samples\r\nthor64-lite.exe --fsonly -p D:\\collected-samples\r\nThe first command reflects the scan mode that is used during a default scan with all modules. The second\r\ncommand starts THOR in “lab scanning” mode, which scans samples regardless of their extension and magic\r\nheader. If you discover samples that get detected only in lab scanning mode, please let us know. (see “How Can I\r\nHelp” below)\r\nSource: https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite\r\nhttps://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite" ], "report_names": [ "scan-for-hafnium-exploitation-evidence-with-thor-lite" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434317, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea84bb7ffe4ef27847569e0f6d5b63f2e3eb2b14.pdf", "text": "https://archive.orkl.eu/ea84bb7ffe4ef27847569e0f6d5b63f2e3eb2b14.txt", "img": "https://archive.orkl.eu/ea84bb7ffe4ef27847569e0f6d5b63f2e3eb2b14.jpg" } }