← threatfilter.dev / all groups / Axiom
Axiom
Also known as: Group 72
Overview
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.
Targets
Civil society · Defense · Government · Intelligence · Justice · Mining · Private sector · Technology
Regions
Belgium · China · Germany · Indonesia · Italy · Japan · Netherlands · Russia · Switzerland · United Kingdom · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 8 attributed custom malware families
TTPs — 16 techniques across 10 tactics
Resource Development
-
T1583.002DNS Server -
T1583.003Virtual Private Server -
T1584.005Botnet
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1566Phishing
Execution
Privilege Escalation
-
T1546.008Accessibility Features
Stealth
-
T1078Valid Accounts
Defense Impairment
-
T1553Subvert Trust Controls
Credential Access
-
T1003OS Credential Dumping
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1563.002RDP Hijacking
Collection
-
T1005Data from Local System -
T1560Archive Collected Data
Command and Control
-
T1001.002Steganography
Tools & malware (8)
ZxShell · gh0st RAT · Zox · PlugX · Hikit · PoisonIvy · Derusbi · Hydraq
Reporting (3)
- Games are over: Winnti is now targeting pharmaceutical companies — Tarakanov, D
- Winnti Analysis — Novetta Threat Research Group
- Threat Spotlight: Group 72 — Esler, J., Lee, M., and Williams, C