Threat Actor Profile

Silk Typhoon

Silk Typhoon (formerly known as HAFNIUM) is a state-backed, contractor-powered advanced persistent threat (APT) group, which the U.S. government has tied to the People's Republic of China. Active since at least 2016, the group first drew global attention in 2021 for mass-exploiting on-premises Microsoft Exchange servers. The group has since evolved into a consistently active espionage actor targeting the IT supply chain, abusing trusted tools like remote monitoring and management (RMM) software, cloud service providers, and privileged access management platforms to reach the downstream customers of its initial targets.

Threat Actor Profile

Silk Typhoon

Country of Origin

Silk Typhoon is widely attributed to the People's Republic of China (PRC). Microsoft publicly addresses the group as state-sponsored, and U.S. law enforcement has alleged in unsealed indictments that individuals linked to the group's operations worked in support of China's Ministry of State Security (MSS).

Members

Silk Typhoon is not believed to be a single fixed team but an operation built with the structure and economics of an industrial enterprise, reportedly drawing on contractor networks that supply tooling, infrastructure, and operators to Chinese state intelligence agencies. This contractor model allows the group to scale operations broadly, mass-exploiting internet-facing systems while separately running more targeted, higher-value intrusions.

Leadership

Direct leadership of Silk Typhoon has not been publicly disclosed, which is typical for state-linked APT operations. What is public: In 2025, the U.S. Department of Justice unsealed charges against Xu Zewei, an alleged contract hacker linked to the group's activity, who was extradited to the United States to face prosecution. A second named co-conspirator, Zhang Yu, remains at large. Cybersecurity vendors track the cluster's activity under several names, including: -HAFNIUM (Microsoft's former name for the group) -Murky Panda (CrowdStrike) -G0125 (MITRE ATT&CK group designation) Note: Silk Typhoon is sometimes confused in public reporting with other, distinct China-nexus clusters (for example, groups tracked separately as UNC5221 or APT27) that exploit similar edge-device vulnerabilities. These are different operations with different tracking histories, and shouldn't be treated as aliases of Silk Typhoon.

Silk Typhoon TTPs

Tactics

Silk Typhoon's operations are built around espionage and long-term access, with goals that include:

  • Stealing intellectual property and sensitive research (early  activity notably targeted infectious disease researchers)

  • Gathering intelligence from government, legal, defense, and policy organizations

  • Establishing footholds inside IT service providers and cloud platforms to reach many downstream victims from a single point of compromise

  • Masking the true scope of an operation by shifting from quiet, targeted access to rapid, mass exploitation once detection risk increases

Techniques

  • Exploiting public-facing applications: Silk Typhoon has a long history of weaponizing vulnerabilities in Microsoft Exchange (most notably the ProxyLogon vulnerability chain in 2021) and has continued exploiting edge devices and enterprise software as an initial access vector.

  • Web shells: The group deploys web shells (including variants of China Chopper) on compromised servers to maintain persistent, flexible remote access.

  • IT supply chain targeting: More recent activity (detailed in Microsoft's March 2025 reporting) shows Silk Typhoon pivoting toward RMM tools, cloud providers, and privileged access management (PAM) solutions, stealing API keys and service credentials from these platforms to move laterally into the environments of the providers' downstream customers.

  • Credential and token abuse: The group harvests credentials, service principal keys, and OAuth application secrets to blend in with legitimate administrative activity in cloud environments rather than relying solely on malware.

  • Living off the land: Once inside an environment, Silk Typhoon favors legitimate administrative tools and built-in utilities to evade detection.

Targets

Silk Typhoon casts a wide net. Historically publicized targeting has included:

  • Government agencies, defense contractors, and policy think tanks

  • Law firms and higher education/research institutions

  • NGOs and international organizations

  • IT service providers, managed service providers, and cloud platforms (used as a path to their customers)

Want to Shut Down Threats Before They Start?

The 2021 Microsoft Exchange Campaign: What Huntress Saw

When Microsoft first disclosed the Exchange Server zero days in March 2021, the campaign was publicly described as "limited and targeted." Huntress's own front-line data told a different story. Quiet, targeted exploitation began as early as January 2021, but starting around March 2, 2021, the activity shifted into a mass, automated "spray-and-pray" campaign scanning the internet for any unpatched Exchange server—a deliberate move to bury the group's original intent once defenders started closing in.

Across the broader Exchange campaign, public and industry reporting described a figure on the order of tens of thousands of web shells, often cited around 88,000 identified across compromised systems worldwide. 

That visibility mattered years later. When federal investigators pursued the individuals behind the campaign, data from multiple private‑sector organizations (including Huntress) informed law enforcement's picture of the intrusion set and impacted organizations. That broader body of data, alongside other investigative inputs, supported a DOJ‑authorized, rarely used remediation action leveraging the attackers' own web shells to remotely remove them from victim systems around the world.

Law Enforcement & Arrests

  • 2025: The U.S. Department of Justice unsealed an indictment against Xu Zewei, an alleged contract hacker that U.S. authorities associate with HAFNIUM/Silk Typhoon activity. He was arrested in Milan and extradited to the U.S., where he appeared in court April 2026.

  • Zhang Yu, a second named co-conspirator in the indictment, remains at large as of this writing.

  • The broader contractor ecosystem believed to power Silk Typhoon's operations has not been dismantled—one arrest is a crack in a much larger case, not a final blow.

Glitch effectGlitch effect

How to Defend Against Silk Typhoon

1

Patch relentlessly, especially edge infrastructure. Silk Typhoon has repeatedly turned unpatched Exchange servers and other internet-facing systems into initial access entry points. Prioritize anything listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

2

Audit and rotate credentials tied to third-party tools. Given the group's pivot toward IT supply chain targeting, treat API keys and service credentials used by RMM software, cloud platforms, and PAM tools as high-value assets. Rotate them regularly and scope their permissions tightly.

3

Enforce multi-factor authentication (MFA) and conditional access on cloud identities. Silk Typhoon's more recent tradecraft leans on abusing legitimate cloud credentials and OAuth grants rather than dropping obvious malware, so identity-layer controls matter as much as endpoint controls.

4

Monitor for web shells and anomalous admin activity. Behavioral detection for web shell patterns and unexpected administrative sessions catches activity that static IoCs will miss.

5

Scrutinize vendor and MSP access. If a supplier's compromise can become your compromise, know what access every third-party integration actually has—and whether it needs all of it.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Ryuk threats with enterprise-grade technology.


Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free