Home/Threat Actor/Silk Typhoon
Threat Actor

Silk Typhoon

silk_typhoon · china · active since 2020-11

Silk Typhoon (HAFNIUM / Operation Exchange Marauder / UNC5221 / DEV-0322 / G0125) is a Chinese state-sponsored cyber-espionage actor formally attributed to the People's Republic of China Ministry of State Security Shanghai State Security Bureau operating through a tiered contractor ecosystem including Shanghai Powerock Network (Xu Zewei) and Shanghai Firetech Information Science and Technology (Zhang Yu) per the July 2025 US DOJ nine-count indictment, one of the most fully- attributed Chinese state-actor clusters in public reporting, culminating in the October-November 2025 first successful extradition of a PRC-state cyber operator from a European jurisdiction (Xu Zewei from Milan, Italy to US Southern District of Texas with Italian law-enforcement cooperation)

became internationally prominent with the March 2, 2021 Microsoft disclosure of HAFNIUM exploiting four Microsoft Exchange Server zero-day vulnerabilities collectively known as ProxyLogon (CVE-2021-26855 / 26857 / 26858 / 27065), with HAFNIUM-specific operations focused on defense contractors, policy think tanks, higher education, infectious-disease researchers (including US universities targeted for COVID-19 vaccine and treatment research theft directly slowing global pandemic response per DOJ characterization), law firms, and NGOs, but catastrophic spillover beginning February 28, 2021, five days after Microsoft alerted MAPP partners to ProxyLogon POC code, led to mass exploitation by additional Chinese-state-affiliated and criminal hacking groups, ultimately compromising more than 12,700 US organizations per FBI 2025 statement.

tradecraft hallmarks include zero-day capability and rapid n-day weaponization, US-based leased VPS infrastructure deliberately chosen to defeat geographic-blocking defenses, China Chopper web-shell deployment as signature post-exploitation persistence, Mimikatz / procdump LSASS credential dumping, and a 2023+ pivot to cloud-identity targeting (password spray against Microsoft 365 / Entra ID, OAuth abuse, service-principal compromise, SAML token forgery, Azure Key Vault credential theft), culminating in the December 2024 BeyondTrust Remote Support SaaS breach via compromised API key giving access to US Treasury including OFAC sanctions- policy materials (~400 Treasury computers, 3,000+ files stolen), with subsequent January 2025 US Treasury OFAC sanctions designation of Yin Kecheng as an MSS-affiliated decade-long cyber actor responsible for the Treasury breach; Shanghai Firetech patent filings revealed by the July 2025 SentinelLabs analysis document Apple device forensics, router exploitation, mobile forensics, and close-access operations tooling exceeding publicly-attributed HAFNIUM tradecraft, establishing the broader MSS-contractor ecosystem context (i-SOON lowest-tier subcontractor, Shanghai Powerock mid-tier MSS contractor for Hafnium, Shanghai Firetech top-tier SSSB contractor for Hafnium, Chengdu404 parallel top-tier contractor for APT41).

china confidence: high 26 aliases MITRE ATT&CK G0125 ↗
Sigma rules202 YARA rules85 Live IOCs16 CVEs exploited12

Profile

Silk Typhoon (HAFNIUM / Operation Exchange Marauder / UNC5221 / DEV-0322 / G0125) is a Chinese state-sponsored cyber- espionage actor formally attributed to the People's Republic of China Ministry of State Security (MSS) Shanghai State Security Bureau (SSSB), operating through a tiered contractor ecosystem including Shanghai Powerock Network Co. Ltd. (Xu Zewei) and Shanghai Firetech Information Science and Technology Company (Zhang Yu). The July 2025 US DOJ nine-count indictment established the most comprehensive attribution to specific PRC MSS contractors and named operators in the public corpus. Following Xu Zewei's October-November 2025 extradition from Milan, Italy to the US Southern District of Texas, the first successful extradition of a PRC-state cyber operator from a European jurisdiction, Silk Typhoon represents one of the most fully-attributed Chinese state-actor clusters in modern cyber history. Silk Typhoon became internationally prominent with the March 2, 2021 Microsoft disclosure of HAFNIUM exploiting four Microsoft Exchange Server zero-day vulnerabilities, collectively known as ProxyLogon (CVE-2021-26855 SSRF, CVE-2021-26857 insecure deserialization, CVE-2021-26858 and CVE-2021-27065 arbitrary file write). Initial HAFNIUM-specific operations were targeted and focused on defense contractors, policy think tanks, higher education, infectious-disease researchers, law firms, and NGOs. The catastrophic spillover began February 28, 2021 , five days after Microsoft alerted Microsoft Advanced Protection Program (MAPP) partners to ProxyLogon proof-of- concept code, after which new Chinese state-affiliated and criminal hacking groups began exploiting the vulnerability at immense scale. By the time Microsoft patched on March 2, 2021, mass exploitation had spread globally. Per the FBI's July 2025 statement, HAFNIUM compromised more than 12,700 US organizations , among the largest publicly-disclosed single-campaign US victim counts in modern cyber history. Targeting profile spans the full Chinese strategic-intelligence mission set: COVID-19 vaccine and treatment research (US universities including University of Texas, infectious-disease researchers, directly slowing global pandemic response per DOJ characterization), defense contractors and the defense industrial base, policy think tanks providing US-policy intelligence, higher education and academic institutions, law firms (including a global law firm with Washington offices targeted for US-policymaker information), pharmaceutical companies, NGOs, and cloud-service-provider supply chain (the BeyondTrust Treasury breach December 2024, accessing 400 Treasury computers, stealing 3,000+ files including OFAC sanctions material on planned actions against Chinese entities). The BeyondTrust-Treasury breach represents the most consequential Silk Typhoon operation in the post-rebrand era, directly targeting US Treasury OFAC for retaliatory intelligence on US sanctions policy. Operational evolution: (Phase I, 2020-2021) initial COVID-19 research theft from universities, escalating to the ProxyLogon Exchange-server zero-day exploitation campaign with web-shell deployment for persistent access.

(Phase II, 2022-2023) sustained on-premises Exchange operations, integration of botnet infrastructure as cover networks, expansion to managed service provider supply-chain targeting.

(Phase III, 2023-2026) cloud-identity infrastructure pivot, password spray against Microsoft 365 / Entra ID environments, OAuth application abuse, service-principal compromise, SAML token forgery (T1606.002), Azure Key Vault credential theft, cloud-account creation for persistence (T1136.003), reflecting victim cloud migration. The pivot positions Silk Typhoon at the cutting edge of state-actor cloud-identity tradecraft alongside APT29. Tradecraft hallmarks: (a) zero-day capability and rapid n-day weaponization, the ProxyLogon chain demonstrated significant vulnerability-research investment.

(b) US-based leased VPS infrastructure deliberately chosen to make geographic attribution harder and traffic patterns look normal, defenders cannot rely on blocking non-domestic IP ranges; (c) China Chopper and related web-shell deployment as the signature post-exploitation persistence pattern.

(d) Mimikatz and procdump for LSASS credential dumping post-shell; (e) cloud-identity targeting via OAuth abuse, SAML forgery, and password-spray attacks (Silk Typhoon era); (f) integration of cover-network botnet infrastructure (paralleling Flax Typhoon's Raptor Train pattern); (g) supply-chain compromise via cloud-service providers (the BeyondTrust pattern)

(h) extensive use of legitimate administrative tools and living-off-the-land tradecraft; (i) capabilities revealed by Shanghai Firetech patent filings include Apple device forensics, router exploitation, mobile forensics, close-access operations, exceeding tradecraft publicly attributed to HAFNIUM, suggesting either undisclosed operations or capability sales to other regional MSS bureaus. Note on related clusters: Silk Typhoon is closely related to but operationally distinct from APT40 (MSS Hainan / Tianjin Xiandun) per Wikipedia and SentinelLabs analysis. The broader MSS-contractor ecosystem revealed by the February 2024 i-SOON leak and the July 2025 DOJ Xu Zewei / Zhang Yu indictment provides the most comprehensive open-source picture of Chinese state-actor outsourcing: i-SOON (lowest tier, low-paying contracts, subcontracting up), Shanghai Powerock (mid-tier MSS contractor for Hafnium), Shanghai Firetech (top-tier SSSB contractor for Hafnium with extensive in-house tool development), Chengdu404 (parallel top-tier MSS contractor for APT41 / Wicked Panda).

Aliases

26
silk typhoonsilktyphoonhafniumhafnium groupoperation exchange marauderoperation_exchange_marauderproxylogonproxy_logonunc5221unc 5221dev-0322dev_0322apt29-overlapmssministry of state securityshanghai state security bureausssbshanghai_state_security_bureaushanghai powerockshanghai powerock networkshanghai firetechshanghai firetech information scienceshanghai siling commerceshanghai_silingg0125hafnium operation

Notable Campaigns

13
2025-2026Sustained Cloud-Identity Operations (2025-2026)
2025Xu Zewei Extradition to US (October-November 2025)
2025SentinelLabs 'Silk Spun from Hafnium' Analysis (July 2025)
2025US DOJ Xu Zewei / Zhang Yu Indictment (July 2025)
2025US Treasury OFAC Sanctions on Yin Kecheng (January 2025)
2024BeyondTrust / US Treasury Breach (December 2024)
2023-2024Silk Typhoon Cloud-Identity Targeting Pivot (2023-2024)
2023Microsoft Silk Typhoon Renaming (July 2023)
202112,700+ US Organizations Compromised (Per FBI 2025)
2021ProxyLogon Mass Exploitation Spillover (February-March 2021)
2021Volexity Operation Exchange Marauder Parallel Disclosure (March 2021)
2021Microsoft HAFNIUM ProxyLogon Disclosure (March 2, 2021)
2020-2021COVID-19 Vaccine and Treatment Research Theft (February 2020 - 2021)

Attribution & Reporting

Attributed by
FBICISANSAUS Cyber CommandUS Department of JusticeUS Department of TreasuryUS Department of Treasury OFACUS Department of StateUS State Department Rewards for JusticeUK NCSCAustralia ACSCCanadian Centre for Cyber SecurityNew Zealand NCSCFive EyesEuropean UnionMicrosoftMicrosoft Threat Intelligence Center (MSTIC)Microsoft Digital Crimes UnitMandiantFireEyeGoogle Cloud Threat IntelligenceCrowdStrikeVolexityESETSentinelOneSentinelLabsTrend MicroCisco TalosSymantec / BroadcomKasperskyCheck Point ResearchRecorded FutureInsikt GroupSecureWorksBloombergItalian Police (extradition partners)Dakota Cary (independent China expert)
Key reporting
reportMicrosoft Threat Intelligence: HAFNIUM Targeting Exchange Servers with 0-day Exploits (March 2, 2021)
reportMicrosoft Threat Intelligence: Silk Typhoon Targeting IT Supply Chain (March 5, 2025)
reportVolexity: Active Exploitation of Microsoft Exchange Zero-Day Vulnerabilities, Operation Exchange Marauder (March 2, 2021)
reportCISA AA21-062A: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities (March 2021)
reportMandiant: Silk Typhoon Targeting Cloud Services (2024-2025)
reportSentinelLabs: China's Covert Capabilities, Silk Spun from Hafnium (July 30, 2025)
reportUS DOJ Indictment: USA v. Xu Zewei and Zhang Yu (Southern District of Texas, July 2025)
reportUS DOJ: Chinese National Extradited to United States for Cyber Intrusions Affecting Microsoft Exchange (2025)
reportUS Treasury OFAC JY-2792: Sanctions Designations of Yin Kecheng and Sichuan Juxinhe Network Technology (January 17, 2025)
reportUS State Department Rewards for Justice: $10M Reward Announcement for State-Sponsored Cyber Actors (January 2025)
reportCisco Talos: ProxyLogon and HAFNIUM Analysis (March 2021)
reportCrowdStrike: Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits (March 2021)
reportESET: Exchange Servers Under Siege from at Least 10 APT Groups (March 2021)
reportBloomberg: Treasury China Hack BeyondTrust Investigation (January 2025)
reportDakota Cary (SentinelLabs/independent): Analysis of Shanghai Firetech Patent Filings
reportFBI Cyber Division Statement: HAFNIUM 12,700 US Organizations Compromised (July 2025, Brett Leatherman)
reportCouncil on Foreign Relations: Hafnium Cyber Operations Tracker
reportEuRepoC: APT Profile, Hafnium

Operational

State sponsor

People's Republic of China (PRC), Ministry of State Security (MSS), specifically the Shanghai State Security Bureau (SSSB) per the July 2025 US DOJ indictment of Xu Zewei (employed by Shanghai Powerock Network Co. Ltd.) and Zhang Yu (employed by Shanghai Firetech Information Science and Technology Company). The indictment named the MSS-contractor model, private Chinese technology companies directed by MSS to conduct offensive operations for plausible deniability. Microsoft MSTIC rates the Chinese state-sponsorship assessment at 'high confidence.' Hafnium is closely related to but operationally distinct from APT40 (MSS Hainan)

SentinelLabs analysis links the cluster to the MSS-contractor ecosystem revealed by the February 2024 i-SOON leak.

Motivations
espionage, intelligence_gathering, covid_19_research_theft, vaccine_research_theft, policy_intelligence, government_intelligence, sanctions_research, financial_sanctions_intelligence, defense_intellectual_property, dual_use_technology_collection, geopolitical_collection, long_term_access_positioning, cloud_infrastructure_compromise
Sectors
governmentfederal_governmentus_treasurystate_departmentdefensedefense_contractorsdefense_industrial_basemilitaryhigher_educationuniversitiesacademic_institutionsinfectious_disease_researchcovid_19_researchvaccine_researchpharmaceuticalhealthcarehospitalspolicy_think_tanksthink_tanksnon_governmental_organizationsngoslaw_firmslegal_servicescloud_service_providersit_service_providersmanaged_service_providerstechnologyit_security_companiessoftware_companiestelecommunicationsfinancial_servicesbankingenergyutilitiescritical_infrastructuresmall_office_home_officeiot_devices
Regions
united_statesunited_kingdomgermanyfrancebelgiumnetherlandsnorwayitalyspainpolandczech_republiccanadaaustralianew_zealandjapansouth_koreataiwanhong_kongindiapakistansingaporethailandphilippinesvietnamisraelunited_arab_emiratessaudi_arabiaeuropeasia_pacificnorth_americamiddle_eastglobal

Techniques Used

60
T1003T1003.001T1003.002T1003.004T1005T1012T1016T1018T1021T1021.001T1021.002T1021.004T1021.006T1021.007T1027T1027.002T1027.005T1027.010T1027.013T1029T1033T1036T1036.005T1041T1047T1048T1048.003T1049T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.001T1070.004T1071T1071.001T1071.003T1074T1074.001T1074.002T1078T1078.001T1078.002T1078.003T1078.004T1082T1083T1087T1087.001

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)55/60 · 91%
Analytics (MITRE CAR)35/60 · 58%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)12/60 · 20%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

10 mapped
S0002 · MimikatzS0020 · China ChopperS0029 · PsExecS0039 · NetS0057 · TasklistS0075 · RegS0096 · SysteminfoS0160 · certutilS0190 · BITSAdminS0349 · LaZagne
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERMFSHMOBILE DEVICE FORENSICS TOOLSSERVICE PRINCIPAL ABUSESHANGHAI FIRETECH APPLE FORENSICSSIMPLESHELLSIMPLE SHELLSPORTSBALLSPORTS BALL

CVEs Exploited

12
CVECVE-2021-26855
CVECVE-2021-26857
CVECVE-2021-26858
CVECVE-2021-27065
CVECVE-2021-31207
CVECVE-2021-34473
CVECVE-2021-34523
CVECVE-2021-44228
CVECVE-2022-30190
CVECVE-2023-23397
CVECVE-2024-1709
CVECVE-2024-3400
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin