analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ axiom-group-72
analyst@nohacky:~/axiom-group-72.html
active profile
type Nation-State
threat_level Critical
status Active
origin China — state-sponsored (Chinese Intelligence Apparatus)
last_updated 2026-03-26
AX
axiom-group-72

Axiom / Group 72

also known as: Group 72 Hidden Lynx Tailgater Team Aurora Panda Bronze Keystone Heart Typhoon HELIUM TEMP.Avengers Dogfish Group 8 APT17 (overlap) G0001

One of the most operationally disciplined Chinese APT groups on record. Novetta's Operation SMN coalition — involving Cisco, Symantec, FireEye, Microsoft, and others — removed over 43,000 installations of Axiom tooling from networks worldwide and assessed the group with moderate-to-high confidence as part of the Chinese Intelligence Apparatus. In contrast to other documented Chinese APT groups, no identified mistakes in operator security were found. Axiom uses a four-stage attack architecture with separate infrastructure and toolsets at each stage, culminating in Hikit — a bespoke, per-target-customized rootkit deployed only against the highest-value or best-defended victims.

attributed origin China — mainland
sponsor assessment Chinese Intelligence Apparatus (moderate-to-high confidence)
documented since 2009 (Operation Aurora)
operation smn result 43,000+ tool installations removed; 180 Hikit instances
opsec distinction Zero identified operator security mistakes (per Novetta)
hikit campaigns 76 unique campaigns identified in Hikit C2 config files
mitre att&ck group G0001
primary targets Defense, telecom, IC, aerospace, NGOs, government
threat level Critical — active, supply chain capable, zero opsec errors

Overview

Axiom — named by Novetta Solutions and their coalition partners in October 2014 following the Operation SMN interdiction campaign — is assessed with moderate-to-high confidence to be a sophisticated subgroup of a larger Chinese espionage organization operating on behalf of the Chinese Intelligence Apparatus. The group is separately designated Group 72 by Cisco Talos, Hidden Lynx by Symantec, and Aurora Panda / Bronze Keystone by CrowdStrike, with partial overlap with FireEye's APT17 (DeputyDog) designation. Novetta's assessment was corroborated by an FBI flash advisory released to InfraGard stating that actors affiliated with Axiom were connected to the Chinese government.

What distinguishes Axiom from every other documented Chinese APT group is a single, striking finding from the Novetta Operation SMN report: no identified mistakes in operational security by Axiom operators were found. By 2014, this contrasted sharply with groups like APT1 (Unit 61398), whose operators had been individually identified through social media activity, email registration patterns, and infrastructure reuse errors. Axiom operators appear to follow tighter security discipline and maintain separate infrastructure at each stage of their attack lifecycle. Novetta hypothesized that Axiom may not be a military unit in the PLA mold — it may instead be associated with the civilian intelligence apparatus, with a different mission profile that includes domestic monitoring of Chinese dissidents alongside conventional economic and political espionage.

The architecture of an Axiom operation reflects extreme operational care. The group uses a four-stage attack model in which different teams — or different operational layers of the same team — handle each phase using entirely separate infrastructure, toolsets, and C2 channels. The final stage, reserved for the highest-value or best-defended targets, deploys Hikit: a custom, per-target-compiled rootkit that represents years of sustained development investment. Of the 43,000 compromised systems cleaned during Operation SMN, only 180 — less than one half of one percent — contained Hikit. The occurrence of Hikit in a victim environment tells analysts exactly how much Axiom's tasking organization values that target.

Axiom's operational timeline extends across some of the most significant documented Chinese cyber espionage campaigns of the past fifteen years. Operation Aurora (2009), the Elderwood Project (2009–2014), the VOHO campaign (2012), the Bit9 certificate theft (2012–2013), Operation Deputy Dog (2013), Operation Ephemeral Hydra (2013), Operation Snowman (2014), and the 2017 CCleaner supply chain attack all share infrastructure, tooling, or attack techniques with documented Axiom operations. This is not a group in one campaign — it is the connective tissue running through a decade of Chinese strategic espionage.

attribution note

Axiom's attribution is complex. Novetta's G0001 represents one cluster of documented activity. FireEye's APT17 (G0025) overlaps substantially. Cisco Talos's Group 72 covers the same operational cluster. These designations reflect the same underlying group observed from different analytical angles — the same Hikit infrastructure, the same ZxShell and HydraQ tools, the same targeting profile. The key distinctions from PLA-affiliated groups (APT1, Putter Panda) are: different mission profile including domestic dissident monitoring, distinct from Third Department tasking; higher operational discipline; and association with what Novetta assessed as civilian intelligence. Separately, the anonymous research group Intrusion Truth conducted open-source investigation and assessed APT17 as managed by MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security — citing connections between APT17's malware authors and MSS-contracted Jinan cybersecurity companies. This assessment was published well before the FBI's InfraGard advisory and is consistent with Novetta's civilian intelligence apparatus assessment, though it carries the evidentiary weight typical of open-source attribution rather than a government indictment.

Target Profile

Axiom's targeting reflects the dual mandates of a Chinese intelligence apparatus unit: economic espionage aligned with China's Five Year Plan industrial priorities on one track, and political intelligence including domestic dissident monitoring on another. Novetta specifically noted that Axiom targets entities in sectors relevant to China's stated five-year industrial agenda and simultaneously targets pro-democracy NGOs and individuals that the Chinese state perceives as threats.

  • Integrated Circuits and Semiconductor Manufacturing: The electronics and semiconductor sector is a primary economic espionage target. Axiom specifically targets organizations developing cutting-edge integrated circuits and telecommunications equipment. This targeting aligns precisely with China's documented priority of achieving self-sufficiency in advanced semiconductor technology — the most strategically sensitive technology competition between China and the West.
  • Telecommunications Equipment and Infrastructure: Telecom equipment manufacturers and infrastructure developers are targeted for technology blueprints, product specifications, and proprietary design details. The strategic value of understanding how Western telecommunications infrastructure works — and its vulnerabilities — extends both to industrial espionage and to signals intelligence collection.
  • Aerospace and Defense: Defense contractors, aerospace manufacturers, and organizations in the defense supply chain are targeted for weapons system specifications, propulsion research, unmanned aerial vehicle designs, and procurement intelligence. Both U.S. and allied defense organizations are documented targets. The 2014 attacks on American Middle Eastern policy think tanks — cited by Novetta as consistent with Axiom activity — also reflect interest in the policy and analytical community supporting defense decisions.
  • Government Agencies: U.S. and allied government agencies — particularly those handling classified information, foreign policy, and defense procurement — are targeted for intelligence collection. The FBI's InfraGard advisory confirming Axiom's government affiliation came in the context of observed intrusions against government-adjacent organizations.
  • Pro-Democracy NGOs and Human Rights Organizations: Novetta specifically documented Axiom targeting NGOs dealing with international politics, environmental policy, pro-democracy movements, and human rights. The attacks on these organizations tend to be multistaged and persistent — in one documented instance, Axiom compromised a satellite office of an NGO and then moved laterally into the organization's main headquarters. Novetta assessed this reflects a mandate to monitor organizations that the Chinese government views as threats to the CCP's legitimacy and China's soft power positioning.
  • Chinese Dissidents and Overseas Chinese Communities: Universities and research institutions in Hong Kong and mainland China were targeted with Hikit for persistent surveillance operations — the deployment of Axiom's highest-capability tool against academic institutions suggests specific persons of interest rather than bulk intelligence collection. Overseas Chinese dissidents in other countries were also documented targets, extending the domestic security mandate globally.
  • Environmental and Energy Policy Organizations: Organizations that influence environmental and energy policy — particularly those critical of China's industrial and environmental record — are targeted. Novetta noted that China's concern over its international reputation regarding human rights and environmental issues is directly reflected in Axiom's target selection.
  • Media Organizations: News organizations covering topics of sensitivity to the Chinese government are targeted for journalist source identification, story advance intelligence, and communications monitoring.

The Four-Stage Attack Architecture

Axiom's operational discipline is nowhere more evident than in its attack architecture. Unlike peer Chinese APT groups that use a relatively consistent toolkit throughout an intrusion lifecycle, Axiom separates its operations into distinct stages — each with its own infrastructure, toolset, and C2 channel — ensuring that detection and remediation of one stage does not expose or disrupt operations at other stages.

  • Stage 1 — Initial Compromise: Entry into the target network, typically via spear-phishing, watering-hole attacks, or zero-day exploitation of public-facing applications. Commodity and widely-shared tools are used at this stage — Poison Ivy, Gh0st RAT, ZxShell, PlugX — tools that are used by dozens of other threat actors and provide minimal attribution value. Infrastructure at Stage 1 is widely shared and does not expose Axiom's dedicated operational infrastructure.
  • Stage 2 — Lateral Movement and Escalation: After initial foothold, the group moves laterally within the target network using slightly more targeted tools — Derusbi, Fexel, HydraQ. Infrastructure at this stage is separate from Stage 1 and from later stages. The 9002 RAT (HydraQ/McRAT) is a distinctive Stage 2 tool that runs entirely in memory, writing nothing to disk and leaving minimal forensic artifacts.
  • Stage 3 — Long-Term Persistence: Selected high-value victims receive ZoxPNG and ZoxRPC — Axiom's custom C2 tools that establish dedicated, per-target C2 infrastructure. Campaign identifiers extracted from Hikit binary configuration files revealed at least 76 unique campaigns managed by this infrastructure. Stage 3 C2 is compromised third-party infrastructure selected specifically for its relevance to the target — not generic bulletproof hosting — further obscuring the origin of traffic.
  • Stage 4 — Hikit Deployment: The final, highest-capability stage, reserved for the most important targets or those with hardened defenses. Hikit binaries are compiled and configured specifically for each target's environment — a distinct binary per victim, per campaign. Only 180 of the 43,000 compromised systems found during Operation SMN contained Hikit. Hikit provides file upload and download, remote shell, network tunneling, lateral infection of other machines on the local network, and long-term persistence. In some intrusions, Hikit operators maintained access for years, returning on a scheduled basis and adapting to security control changes in the target environment.

Tactics, Techniques & Procedures

Axiom's TTP footprint spans the full attack lifecycle with stage-appropriate tool selection at each phase. The consistent theme is that each layer is designed to survive the detection of the previous layer — a defense-in-depth approach to persistence that makes complete remediation extremely difficult.

mitre id technique description
T1189 Drive-by Compromise (Watering Hole) Axiom's preferred initial access technique alongside spear-phishing. The group compromises websites likely to be visited by target populations — think tanks focusing on foreign policy and defense (Operation Snowman used the VFW website), organizations associated with the target's supply chain, and sites of interest to specific industry sectors. Zero-day exploits are used in conjunction with watering holes to maximize conversion rates against security-aware targets who might otherwise reject phishing email.
T1566.001 Spear-Phishing Attachment Targeted phishing campaigns with malicious attachments tailored to the recipient's professional context. Lures referenced topics relevant to the target's industry, policy interests, or current events. The Elderwood platform — a shared exploit delivery infrastructure — was used to facilitate and automate phishing campaigns, providing embedded keyloggers, automated domain and account generators, and Shockwave Flash elements ensuring Trojans are downloaded in correct target locations.
T1195.002 Supply Chain Compromise — Signed Binaries The 2012 Bit9 certificate theft — in which Axiom exploited a SQL injection vulnerability in an internet-facing Bit9 web server, then used the compromised system to access Bit9's code-signing infrastructure and sign 32 malicious files with a legitimate Bit9 certificate — is a textbook supply chain attack. The signed binaries were subsequently used in separate attacks against other organizations, leveraging the trusted certificate to bypass security controls that whitelist Bit9-signed software. Axiom's history of supply chain attacks extends to connections with the 2017 CCleaner backdoor (code overlap with APT17/Axiom tools confirmed by Kaspersky and Cisco Talos).
T1203 Exploitation for Client Execution Axiom uses zero-day and recently disclosed vulnerabilities in Internet Explorer (CVE-2013-3893 in Operation Deputy Dog; CVE-2014-0322 in Operation Snowman targeting the VFW website; CVE-2013-3918 and CVE-2014-0266 in Operation Ephemeral Hydra), and Adobe Flash. The group develops its own zero-days in-house or acquires them from third parties — the level of zero-day investment seen across linked campaigns indicates either substantial internal vulnerability research capability or an established procurement relationship for exploit code.
T1055 Process Injection — In-Memory Execution (9002 RAT) The HydraQ/9002 RAT (McRAT variant) used in Stage 2 operations runs entirely in memory — the malware is never written to disk, leaving minimal forensic artifacts for incident responders to recover. This in-memory execution design specifically targets forensic blind spots in environments relying on file-based detection or post-incident disk imaging for malware analysis. MITRE notes this technique was observed in Operation Ephemeral Hydra (CVE-2013-3918 exploitation delivering 9002 in-memory).
T1090 Proxy — Compromised Infrastructure C2 Axiom routes its activity through compromised proxy infrastructure in the United States, South Korea, Taiwan, Hong Kong, and Japan. This approach disguises malicious traffic as legitimate in network monitoring that examines source geography. Stage 3 C2 infrastructure is specifically selected for its relevance to the target organization — using compromised servers in the same country or industry as the victim — further reducing the anomalous appearance of the C2 communications.
T1014 Rootkit (Hikit) Hikit is a bespoke, per-target-customized rootkit representing the apex of Axiom's toolkit. Each Hikit binary is compiled and configured specifically for the victim's environment. Hikit provides file upload and download, remote shell generation, network tunnel creation, connection to other Hikit-infected machines to create a secondary peer network, and long-term persistence. Hikit operators return to Hikit-infected organizations on a scheduled basis, perform lateral movement based on network egress geography and security control changes, and sustain access measured in years. Detection of Hikit signals not just a compromise but a determination by Axiom's tasking organization that this specific target has the highest operational priority.
T1588.003 Obtain Capabilities — Code Signing Certificates The Bit9 breach provided Axiom with legitimate code-signing certificates from a trusted security vendor. Binaries signed with Bit9's certificate were then used in separate intrusions — leveraging the stolen trust anchor to bypass application whitelisting controls and security products that trusted Bit9-signed software. Hikit samples connected to Operation SMN were signed with this stolen Bit9 certificate, directly linking the 2012 Bit9 breach to Axiom's later operations.

Known Campaigns

Axiom's documented campaign history spans over fifteen years and connects some of the most significant Chinese espionage operations on record. The shared infrastructure, toolset overlap, and consistent targeting profile across these campaigns is what enabled Operation SMN to cluster them into a single actor designation.

Operation Aurora — Google and 30+ Companies 2009 – 2010

The foundational campaign in Axiom's documented history. Operation Aurora targeted Google and over 30 other technology, defense, and financial companies — stealing source code, intellectual property, and Gmail accounts of Chinese human rights activists. Google publicly disclosed the breach in January 2010, attributing it to China — a landmark moment that brought Chinese state-sponsored cyber espionage into mainstream public awareness. Novetta's Operation SMN report assessed Axiom as sharing infrastructure and techniques with Operation Aurora, connecting the 2009 campaign to the same organizational entity responsible for a decade of subsequent operations.

Elderwood Project — Zero-Day Platform Operations 2009 – 2014

The Elderwood Project — named by Symantec for a source code variable used across the exploit code — is a shared exploit delivery platform and zero-day repository used by multiple Chinese APT groups including Axiom. The platform demonstrated access to an extraordinary number of zero-day vulnerabilities across Internet Explorer, Adobe Flash, Adobe Reader, and Java over a multi-year period. Novetta connected Axiom to the Elderwood ecosystem through shared exploit code and infrastructure. The platform was used against organizations in defense, defense supply chain manufacturing, IT, and human rights — precisely the sectors in Axiom's target profile.

Bit9 Certificate Theft — Supply Chain Access 2012 – 2013

In July 2012, Axiom exploited a SQL injection vulnerability in an internet-facing Bit9 web server. After gaining access, the group found a version of HiKit on the compromised system — confirming attribution. The attackers used this access to reach Bit9's internal code-signing infrastructure, where they signed 32 malicious binaries with a legitimate Bit9 certificate. These signed binaries — trusted by Bit9's own security product and by other security tools that whitelisted Bit9-signed code — were subsequently deployed in separate attacks against other organizations. The breach exposed how compromising a trusted security vendor could multiply access across the vendor's entire customer base. Hikit samples associated with Operation SMN were signed using the stolen Bit9 certificate, directly linking this supply chain attack to Axiom's later deployment operations.

Operation Deputy Dog — Internet Explorer Zero-Day September 2013

A watering-hole campaign using CVE-2013-3893 — a zero-day vulnerability in Internet Explorer — targeting primarily Japanese organizations. The campaign compromised a website likely to be visited by the target population, then served the exploit to selected visitors. The payload was the 9002 RAT (HydraQ variant). Novetta's analysis found infrastructure overlaps between Operation Deputy Dog and the Bit9 compromise, reinforcing attribution to the same operational cluster. FireEye documented this operation and identified the link to Bit9 through shared C2 infrastructure.

Operation Snowman — VFW Watering Hole February 2014

On February 11, 2014, Axiom compromised the U.S. Veterans of Foreign Wars (VFW) website — vfw.org — and used it as a watering hole to deliver CVE-2014-0322, a zero-day vulnerability in Internet Explorer 10 with an Adobe Flash exploitation component. The payload was a ZxShell backdoor connecting to newss.effers.com. The target profile of the VFW website — defense veterans and active military personnel — is consistent with Axiom's documented interest in defense sector intelligence. FireEye documented the campaign and Novetta cited it as one of the incidents consistent with Axiom activity in the SMN report.

Operation SMN — Industry Coalition Interdiction October 2014

Operation SMN (named for a shared malware indicator across Axiom samples) was the first documented coordinated industry interdiction campaign against a named state-sponsored threat actor — a model that security researchers hoped would be replicated for future operations. The coalition — led by Novetta and including Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect, ThreatTrack Security, and Volexity — pooled threat intelligence and executed coordinated remediation via Microsoft's Malicious Software Removal Tool (MSRT) and partner security products. The campaign removed over 43,000 Axiom tool installations from partner-protected networks on October 14, 2014. The interdiction was publicly disclosed on October 28, 2014, alongside Novetta's full technical report. The coalition acknowledged they had not delivered a "knockout blow" — history of APT1's three-month hiatus after the Mandiant 2013 report suggested Axiom would adapt and return.

CCleaner Supply Chain Attack August – September 2017

In August 2017, attackers compromised Piriform's build infrastructure and injected a backdoor into CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 — software with over 2 billion downloads at the time. The backdoored version was distributed to approximately 2.27 million users before discovery. Kaspersky's Costin Raiu identified code overlap between the CCleaner backdoor and APT17/Axiom tools — specifically a unique base64 implementation used in APT17 code that appeared in the backdoor. Intezer confirmed this code overlap. Cisco Talos researchers validated the findings and noted the backdoor was designed to deliver a second-stage payload to approximately 20 major international technology companies including Cisco, Google, Microsoft, Intel, Samsung, Sony, VMware, HTC, and others. The second-stage targeting confirms the supply chain was not about broad consumer surveillance — it was about reaching specific high-value corporate targets by compromising a tool that their IT staff used.

Italian Government and Corporate Targeting — 9002 RAT Diskless Variants June – July 2024

On June 24 and July 2, 2024, Italian cybersecurity firm TG Soft documented two targeted campaigns against Italian companies and government entities attributed to APT17/Axiom with high confidence. Both campaigns used spear-phishing to lure victims into installing what appeared to be a Skype for Business package — served from a domain spoofing an Italian government website — which delivered an updated diskless variant of the 9002 RAT. The June 24 campaign used a malicious Office document; the July 2 campaign used a phishing link. The 9002 RAT variant contained a build date indicator of "20240124," confirming active malware development in 2024. The variant executed entirely in memory (diskless mode) and communicated with C2 infrastructure via encrypted channels using domains mimicking legitimate services. TG Soft recovered a file-based sample (SHA-256: de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0) uploaded to VirusTotal from Italy on July 5, 2024. These campaigns confirm that APT17/Axiom continues active operations against European government and corporate targets as recently as mid-2024 and that the 9002 RAT remains an actively maintained tool with ongoing capability development — including the elimination of disk artifacts through diskless execution.

Tools & Malware

Axiom's toolset spans a spectrum from commodity malware used at Stage 1 (for plausible deniability) to bespoke, per-target-compiled tools at Stage 4 (for maximum persistence). The architecture ensures that detection at any stage reveals only the tools of that stage and not the full toolkit or operational infrastructure.

  • Hikit: Axiom's signature, highest-tier custom malware — the hallmark of Stage 4 operations against the group's most important targets. Each Hikit binary is compiled and configured specifically for the individual victim's network environment — a dedicated binary per target, per campaign. Capabilities include file upload and download, remote shell generation, network tunneling, and peer-to-peer infection of other machines on the local network to create a secondary C2 mesh. Novetta confirmed that Hikit C2 configuration files contained campaign identifiers revealing at least 76 unique campaigns. Hikit samples were signed with the stolen Bit9 code-signing certificate, enabling bypass of application whitelisting controls. Deployment of Hikit signals explicitly that Axiom's tasking organization considers the target of high priority or high difficulty.
  • ZoxPNG / ZoxRPC: Axiom's custom Stage 3 C2 tools — a two-component system for establishing and maintaining command-and-control over high-value targets using compromised third-party C2 infrastructure selected specifically for relevance to the target. ZoxPNG and ZoxRPC provide the persistent, dedicated C2 layer that underlies Hikit deployments and long-duration operations.
  • 9002 RAT / HydraQ (McRAT): A Stage 2 in-memory remote access Trojan running entirely without writing to disk — the only forensic artifacts are in process memory, which is cleared on reboot. Used extensively across Operation Deputy Dog, Operation Ephemeral Hydra, and Operation Snowman. The 2024 Italian government campaigns (documented by TG Soft) confirmed that the 9002 RAT is still under active development — a diskless variant with a build date indicator of "20240124" was deployed, demonstrating continued maintenance and capability extension more than a decade after the tool was first documented. The 9002 RAT supports modular plugin architecture, downloading additional diskless plugins as needed to add capabilities without leaving additional on-disk artifacts. Cisco noted exclusivity to Axiom and closely related actor clusters as evidence of shared staff or facilities.
  • ZxShell (Sensode): A versatile backdoor used in Axiom operations including Operation Snowman (the VFW watering hole). ZxShell provides comprehensive remote access: command execution, file operations, process management, registry manipulation, and network operations. Cisco Talos's "Group 72, Opening the ZxShell" report provided detailed technical analysis of ZxShell variants in documented Axiom campaigns.
  • Derusbi: A modular backdoor shared across multiple Chinese APT groups including Axiom and APT3/Gothic Panda, indicating either shared code development or procurement from a common source. Derusbi communicates over SSL in some configurations, hiding traffic from non-TLS-inspecting controls. Used in Stage 2 operations for longer-term post-foothold persistence before Hikit deployment.
  • Fexel (Deputy Dog): A backdoor tool used in Axiom operations including Operation Deputy Dog. Provides Stage 2 persistence and C2 capability. Infrastructure shared between Fexel/Deputy Dog deployments and Hikit operations was a key link in Novetta's clustering of multiple campaigns into the Axiom designation.
  • PlugX (Sogu/Kaba/Korplug): A widely-used Chinese APT RAT in Axiom's Stage 1-2 toolkit. Its presence is indicative of Chinese state-affiliated activity but provides limited narrow attribution value given its broad distribution across the Chinese APT ecosystem.
  • Poison Ivy / Gh0st RAT: Commodity Stage 1 tools used for initial access and early persistence, providing minimal attribution signal due to their widespread use across hundreds of threat actors globally. Their deliberate use at Stage 1 is part of Axiom's plausible deniability architecture — early compromise phases look like any number of other actors.
  • HDRoot: A bootkit providing deep persistence at the master boot record level, surviving OS reinstallation. Used in select Axiom operations for maximum persistence in highly-defended environments.
  • Winnti: A sophisticated backdoor associated with the Winnti Group and Axiom, consistent with the broader overlapping ecosystem of Chinese APT groups and tool sharing documented across multiple intelligence contractors.

Indicators of Compromise

IOCs drawn from the Novetta Operation SMN report (October 2014), Cisco Talos Group 72 analysis, FireEye's Operation Deputy Dog, Snowman, and Ephemeral Hydra reports, the CCleaner incident (2017), and TG Soft's 2024 Italian campaign analysis. Full indicator sets are available in Novetta's published SMN report and MITRE G0001. The 2024 9002 RAT sample SHA-256 is documented in the TG Soft report.

detection caveat

Axiom's stage-separated architecture means that detecting Stage 1 or Stage 2 tools (Poison Ivy, ZxShell, PlugX) does not reveal the full extent of compromise. Hikit is unique to Axiom and only deployed against the most valuable targets — its absence from detection logs does not mean Hikit is not present. The 9002 RAT leaves no disk artifacts. Any detection of Stage 1 tools in a high-value target environment should trigger a full forensic investigation for later-stage tools that may not appear in standard endpoint scans.

behavioral and technical indicators
tool Hikit — unique to Axiom and two related groups; per-target compiled; finding Hikit confirms Stage 4 compromise and high-priority Axiom targeting of the victim environment
tool 9002 RAT (HydraQ) in memory — in-memory only, no disk artifacts; process memory forensics required; distinctive to Axiom and two related actor clusters
cert Stolen Bit9 code-signing certificate (2012) — used to sign 32 malicious Hikit-associated binaries; any binary signed by Bit9 certificate from this period warrants review
cve CVE-2013-3893 — IE zero-day (Operation Deputy Dog); CVE-2014-0322 — IE10 zero-day (Operation Snowman); CVE-2013-3918 — IE zero-day (Ephemeral Hydra)
domain pattern Axiom domains include target company name or acronym as subdomain (e.g., companyname.attackerdomain.com) — distinctive registraton pattern noted by Cisco Talos
domain newss.effers.com — ZxShell C2 used in Operation Snowman (VFW watering hole 2014)
malware Hikit mutex and file naming conventions detailed in Novetta SMN report; Chinese-language filename patterns; Simplified Chinese language settings in Axiom malware configuration
code CCleaner 2017 — unique base64 implementation matching APT17/Axiom code confirmed by Kaspersky and Intezer; CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 are confirmed backdoored versions
hash (2024) de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0 — SHA-256 of 9002 RAT diskless variant uploaded from Italy 2024-07-05; build date indicator "20240124"; delivered via Skype for Business MSI from spoofed Italian government domain
delivery (2024) MSI installer masquerading as Skype for Business package; served from Italian government-spoofing domain; used in June 24 and July 2, 2024 Italian government and corporate targeting campaigns

Mitigation & Defense

Axiom is assessed as active. The group's operational discipline — zero identified operator security errors, stage-separated infrastructure, per-target compiled tools — makes conventional detection approaches significantly less reliable than against peer groups. Organizations in Axiom's documented target sectors (defense, integrated circuits, telecom, aerospace, government, pro-democracy NGOs) should assume that standard EDR and network monitoring may not detect Stage 3 and Stage 4 operations and plan accordingly.

  • Multi-Stage Detection Strategy: Axiom's stage-separated architecture means each stage requires different detection methods. Stage 1 (Poison Ivy, PlugX, ZxShell) — standard signature-based and behavioral EDR detection. Stage 2 (9002 RAT in memory, Derusbi) — memory forensics, process injection detection, and behavioral anomaly monitoring that does not rely on disk artifacts. Stage 3 (ZoxPNG/ZoxRPC custom C2) — network traffic anomaly detection focused on unexpected outbound connections to compromised third-party infrastructure. Stage 4 (Hikit) — bootkit and rootkit detection with offline scanning; Hikit may not be detectable from within a running OS if the rootkit is fully installed. Plan for the possibility that Stage 1 detection represents only the visible surface of a much deeper compromise.
  • Application Whitelisting with Certificate Validation: Axiom stole the Bit9 code-signing certificate specifically to bypass application whitelisting. Any application whitelisting solution that trusts certificates alone — without also validating that the certificate-issuing vendor has not been compromised — can be defeated by a supply chain attack against that vendor. Implement hash-based verification for critical whitelisted applications in addition to certificate trust. Maintain awareness of certificate compromise notifications from security vendors.
  • Software Supply Chain Verification: Axiom's Bit9 breach and the CCleaner supply chain attack represent two documented cases of the group compromising trusted software to reach downstream targets. Verify the integrity of security software, system administration tools, and developer utilities using hash comparison against vendor-published digests — not just certificate validation. The CCleaner attack specifically targeted IT and security staff who use cleanup and optimization utilities. Treat software update channels for widely-deployed tools as potential attack surfaces and verify integrity independently.
  • Memory Forensics Capability: The 9002 RAT runs entirely in memory and leaves no disk artifacts. Standard incident response workflows that focus on disk imaging and file scanning will not detect this tool. Invest in memory forensics capability — tools like Volatility Framework for offline memory analysis, and EDR products that can capture and analyze process memory in real time. Any high-value intrusion investigation in an Axiom-target sector should include memory analysis as a mandatory step.
  • NGO and Civil Society Security: Axiom specifically targets pro-democracy organizations, human rights groups, and environmental organizations — deploying multistaged attacks that in one documented case moved laterally from a satellite office to main headquarters. Civil society organizations in these sectors face a sophisticated adversary that considers them priority targets. Implement network segmentation between office locations, enforce phishing-resistant authentication on all accounts, encrypt sensitive organizational communications end-to-end, and ensure that a compromise of one office does not provide automatic lateral access to the full organization.
  • Defense Industrial Base Zero-Day Patch Prioritization: Axiom has a documented history of using zero-day vulnerabilities in Internet Explorer, Adobe Flash, and other client-side software in watering-hole and spear-phishing campaigns targeting the defense sector. Maintain an aggressive patch deployment timeline for browser and browser plugin vulnerabilities — a 24–48 hour deployment window for CVSS 9+ client-side browser vulnerabilities in defense sector environments. Disable or remove Adobe Flash entirely (it is end-of-life as of December 2020). Enforce automatic browser updates.
analyst note

Axiom's zero operational security errors is the single most alarming finding in the entire documented Chinese APT corpus. Every other major Chinese APT group — APT1, APT3, APT17, APT18, APT19 — left forensic breadcrumbs that enabled individual operator identification: email registration patterns, social media accounts, infrastructure reuse, language artifacts in code. Axiom left none. This is not a team of clever but imperfect hackers; it is an organization with institutional operational security discipline, separate infrastructure for each attack stage, and the self-awareness to not make mistakes that smaller and less disciplined actors make routinely. The implication for defenders is serious: the standard attribution-based detection approaches that work against many Chinese APT groups — flagging known C2 IPs, identifying reused domains, detecting known tool signatures — are specifically insufficient against an actor that cycles infrastructure per-campaign, compiles per-target binaries, and runs multi-year operations without generating attribution-enabling mistakes. Detecting Axiom requires behavioral anomaly detection, long-duration baseline monitoring, and the willingness to investigate Stage 1 detections as potential indicators of a much deeper, longer-running compromise that standard tools may never surface.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile