Skip to main content
Mallory
Back to threat actors
12 malware familiesExploits CVEs in the wild

Axiom

Also known asAxiomGroup 72

Axiom is a threat actor referenced with the aliases Axiom and group_72. The content associates Axiom with credential dumping, collection of data from compromised networks, use of VPS hosting providers while targeting victims, and use of RDP during operations. The actor has been observed using SQL injection to gain access to systems, compressing and encrypting data prior to exfiltration, and exploiting multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893. ATT&CK-style annotations in the content also associate Axiom with Exploit Public-Facing Application (T1190), Web Shell (T1505.003), IIS Components (T1505.004), Command and Scripting Interpreter (T1059), Upload Malware (T1608.001), Upload Tool (T1608.002), Unsecured Credentials (T1552), and OS Credential Dumping (T1003). One cited statement says ShadowPad is believed to be a product of the Chinese hacker group Axiom and that the group was likely behind the CCleaner attack.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

50 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics77 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.003×2
Virtual Private Server
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
5 techniques
T1078×2
Valid Accounts
T1133×4
External Remote Services
T1190×22
Exploit Public-Facing Application
T1195
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
T1566×3
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
6 techniques
T1059×3
Command and Scripting Interpreter
T1129
Shared Modules
T1203×4
Exploitation for Client Execution
T1204
User Execution
T1204.002×2
Malicious File
T1569
System Services
T1569.002
Service Execution
T1574
Hijack Execution Flow
T1574.001
DLL
TA0003
Persistence
6 techniques
T1078×2
Valid Accounts
T1098
Account Manipulation
T1133×4
External Remote Services
T1505
Server Software Component
T1505.003×2
Web Shell
T1505.004
IIS Components
T1543
Create or Modify System Process
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
6 techniques
T1055
Process Injection
T1068
Exploitation for Privilege Escalation
T1078×2
Valid Accounts
T1098
Account Manipulation
T1543
Create or Modify System Process
T1543.003
Windows Service
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
8 techniques
T1027
Obfuscated Files or Information
T1027.001
Binary Padding
T1055
Process Injection
T1078×2
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1497
Virtualization/Sandbox Evasion
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
T1574
Hijack Execution Flow
T1574.001
DLL
T1620
Reflective Code Loading
TA0112
Defense Impairment
1 technique
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
4 techniques
T1003×3
OS Credential Dumping
T1003.001
LSASS Memory
T1056
Input Capture
T1056.001×2
Keylogging
T1552
Unsecured Credentials
T1555×2
Credentials from Password Stores
TA0007
Discovery
4 techniques
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1082×2
System Information Discovery
T1087
Account Discovery
T1087.002
Domain Account
T1497
Virtualization/Sandbox Evasion
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001×9
Remote Desktop Protocol
T1210
Exploitation of Remote Services
TA0009
Collection
4 techniques
T1005×2
Data from Local System
T1056
Input Capture
T1056.001×2
Keylogging
T1113
Screen Capture
T1560
Archive Collected Data
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1095
Non-Application Layer Protocol
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ShadowPadShadowPad is a sophisticated modular remote access trojan (RAT). Though originally developed by Wicked Panda threat actors, ShadowPad is currently used by multiple Chinese state-sponsored threat actor groups.3May 26, 2026
BIOPASS RATThe group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.1May 26, 2026
Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026
China ChopperThe group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.1May 26, 2026
DerusbiThe group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.1May 26, 2026

7 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

11 CVEs this actor has used in observed campaigns. 11 of them exploited in the wild.

CVE-2012-1889MSXML Uninitialized Memory Corruption VulnerabilityIn the wildEvidence2

Axiom has used exploits for multiple vulnerabilities including... CVE-2012-1889...

CVE-2012-4792Use-after-free RCE in Microsoft Internet Explorer 6-8 CButton/CDwnBindInfo handlingIn the wildEvidence2

Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792...

CVE-2013-3893Use-after-free RCE in Microsoft Internet Explorer mshtml.dll SetMouseCaptureIn the wildEvidence2

Axiom has used exploits for multiple vulnerabilities including... CVE-2013-3893.

CVE-2014-0322Use-after-free in Microsoft Internet Explorer 9 and 10In the wildEvidence2

Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322...

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

6 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

22 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

22 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
slideshareNews
May 21, 2026
Hunting for Credentials Dumping in Windows Environment | PDF

Known to perform credential dumping.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Azure PowerShell Module Installation Via PowerShell Script | Splunk Security Content

Listed as a threat actor associated with Azure Active Directory account takeover, persistence, privilege escalation, and related cloud-focused post-compromise activity detected via PowerShell module installation.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Metasploit Confluence Plugin Execution | Splunk Security Content

Listed as a threat actor associated with the detection for Metasploit-based Atlassian Confluence exploitation activity.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Unusual File Creation in Confluence Directory | Splunk Security Content

Listed as a threat actor associated with exploitation of public-facing applications and malware/tool upload activity relevant to Confluence exploitation detection.

Read more
+149 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping50

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs11

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables22

Domains, IPs, and hashes tied to this actor, refreshed continuously.