Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape
🌀

Silk Typhoon

Aliases

HAFNIUM, Murky Panda

Tags
State-SponsoredData Exfil.
Attribution
🇨🇳
Incidents
Silk Typhoon Targeting IT and Cloud ApplicationsSilk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
References
https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/https://attack.mitre.org/groups/G0004/
Last edited
Aug 26, 2025 7:54 AM
Status
Finalized
Cloud-fluent
Targeted geography
United States/North AmericaSoutheast AsiaLatin AmericaEurope
Targeted industries
GovernmentNon-governmental organizations (NGOs)Telecommunication

Silk Typhoon is a China-based advanced persistent threat (APT) group known for cyber espionage operations targeting entities in the United States and other regions. Active since at least 2009, the group, also referred to as APT20 or NICKEL, primarily focuses on intelligence collection to support Chinese geopolitical interests. Silk Typhoon is known for leveraging vulnerabilities in public-facing applications and employing stolen credentials to maintain persistent access. The group frequently uses web shells and custom malware to establish footholds and exfiltrate data. Silk Typhoon adapts its techniques based on target defenses, combining living-off-the-land tactics with bespoke tools. It has been linked to intrusions against government agencies, non-governmental organizations (NGOs), diplomatic entities, and telecommunications providers.

Made with 💙 by Wiz

Last Updated: April 3, 2025