🌀

Silk Typhoon

Aliases

HAFNIUM, Murky Panda

Tags

State-SponsoredData Exfil.

Attribution

🇨🇳

Incidents

Silk Typhoon Targeting IT and Cloud Applications Silk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise

References

https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/https://attack.mitre.org/groups/G0004/

Last edited

Aug 26, 2025 7:54 AM

Status

Finalized

Cloud-fluent

Targeted geography

United States/North AmericaSoutheast AsiaLatin AmericaEurope

Targeted industries

GovernmentNon-governmental organizations (NGOs)Telecommunication

Silk Typhoon is a China-based advanced persistent threat (APT) group known for cyber espionage operations targeting entities in the United States and other regions. Active since at least 2009, the group, also referred to as APT20 or NICKEL, primarily focuses on intelligence collection to support Chinese geopolitical interests. Silk Typhoon is known for leveraging vulnerabilities in public-facing applications and employing stolen credentials to maintain persistent access. The group frequently uses web shells and custom malware to establish footholds and exfiltrate data. Silk Typhoon adapts its techniques based on target defenses, combining living-off-the-land tactics with bespoke tools. It has been linked to intrusions against government agencies, non-governmental organizations (NGOs), diplomatic entities, and telecommunications providers.