Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Silk Typhoon (formerly known as HAFNIUM) is a state-backed, contractor-powered advanced persistent threat (APT) group, which the U.S. government has tied to the People's Republic of China. Active since at least 2016, the group first drew global attention in 2021 for mass-exploiting on-premises Microsoft Exchange servers. The group has since evolved into a consistently active espionage actor targeting the IT supply chain, abusing trusted tools like remote monitoring and management (RMM) software, cloud service providers, and privileged access management platforms to reach the downstream customers of its initial targets.
Silk Typhoon's operations are built around espionage and long-term access, with goals that include:
Stealing intellectual property and sensitive research (early activity notably targeted infectious disease researchers)
Gathering intelligence from government, legal, defense, and policy organizations
Establishing footholds inside IT service providers and cloud platforms to reach many downstream victims from a single point of compromise
Masking the true scope of an operation by shifting from quiet, targeted access to rapid, mass exploitation once detection risk increases
Exploiting public-facing applications: Silk Typhoon has a long history of weaponizing vulnerabilities in Microsoft Exchange (most notably the ProxyLogon vulnerability chain in 2021) and has continued exploiting edge devices and enterprise software as an initial access vector.
Web shells: The group deploys web shells (including variants of China Chopper) on compromised servers to maintain persistent, flexible remote access.
IT supply chain targeting: More recent activity (detailed in Microsoft's March 2025 reporting) shows Silk Typhoon pivoting toward RMM tools, cloud providers, and privileged access management (PAM) solutions, stealing API keys and service credentials from these platforms to move laterally into the environments of the providers' downstream customers.
Credential and token abuse: The group harvests credentials, service principal keys, and OAuth application secrets to blend in with legitimate administrative activity in cloud environments rather than relying solely on malware.
Living off the land: Once inside an environment, Silk Typhoon favors legitimate administrative tools and built-in utilities to evade detection.
Silk Typhoon casts a wide net. Historically publicized targeting has included:
Government agencies, defense contractors, and policy think tanks
Law firms and higher education/research institutions
NGOs and international organizations
IT service providers, managed service providers, and cloud platforms (used as a path to their customers)
When Microsoft first disclosed the Exchange Server zero days in March 2021, the campaign was publicly described as "limited and targeted." Huntress's own front-line data told a different story. Quiet, targeted exploitation began as early as January 2021, but starting around March 2, 2021, the activity shifted into a mass, automated "spray-and-pray" campaign scanning the internet for any unpatched Exchange server—a deliberate move to bury the group's original intent once defenders started closing in.
Across the broader Exchange campaign, public and industry reporting described a figure on the order of tens of thousands of web shells, often cited around 88,000 identified across compromised systems worldwide.
That visibility mattered years later. When federal investigators pursued the individuals behind the campaign, data from multiple private‑sector organizations (including Huntress) informed law enforcement's picture of the intrusion set and impacted organizations. That broader body of data, alongside other investigative inputs, supported a DOJ‑authorized, rarely used remediation action leveraging the attackers' own web shells to remotely remove them from victim systems around the world.
2025: The U.S. Department of Justice unsealed an indictment against Xu Zewei, an alleged contract hacker that U.S. authorities associate with HAFNIUM/Silk Typhoon activity. He was arrested in Milan and extradited to the U.S., where he appeared in court April 2026.
Zhang Yu, a second named co-conspirator in the indictment, remains at large as of this writing.
The broader contractor ecosystem believed to power Silk Typhoon's operations has not been dismantled—one arrest is a crack in a much larger case, not a final blow.
Patch relentlessly, especially edge infrastructure. Silk Typhoon has repeatedly turned unpatched Exchange servers and other internet-facing systems into initial access entry points. Prioritize anything listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Audit and rotate credentials tied to third-party tools. Given the group's pivot toward IT supply chain targeting, treat API keys and service credentials used by RMM software, cloud platforms, and PAM tools as high-value assets. Rotate them regularly and scope their permissions tightly.
Enforce multi-factor authentication (MFA) and conditional access on cloud identities. Silk Typhoon's more recent tradecraft leans on abusing legitimate cloud credentials and OAuth grants rather than dropping obvious malware, so identity-layer controls matter as much as endpoint controls.
Monitor for web shells and anomalous admin activity. Behavioral detection for web shell patterns and unexpected administrative sessions catches activity that static IoCs will miss.
Scrutinize vendor and MSP access. If a supplier's compromise can become your compromise, know what access every third-party integration actually has—and whether it needs all of it.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Ryuk threats with enterprise-grade technology.