Formally attributedActiveMITRE G0125 →

HAFNIUM

Coverage omission — Eastern

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

1.6

Low signal strength

Mentions2

Sources0

High conf.2

Last seenJun 2026

First observed

2021-03-03

Last active

Active

Origin

China — attributed by US, EU, NATO, and Five Eyes governments

Aliases

Techniques

Campaigns

China — attributed by US, EU, NATO, and Five Eyes governmentsconsensus confidence

TargetsGovernmentDefenceLegalNGOThink Tank

RegionsUsEuGlobal

Attribution signals

2 mentions · 0 sources

#1usedhigh

TTP matchGeopolitical

greynoise

Jun 2026

"It's a variant of CVE-2024-12356, the same vulnerability class that Chinese state-sponsored group Silk Typhoon used to breach the U.S. Treasury Department in late 2024."

#2usedhigh

InfrastructureTTP match

greynoise

Jun 2026

"On January 5, we observed a Polish hosting provider running the same BeyondTrust RCE + PostgreSQL SQLi chain that Silk Typhoon used against the Treasury, all targeting the /nw WebSocket path on port 443."

Hedge terms observed

used