3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Axiom

Axiom

ID: 2c5d94dd609855f43c21c46744afec3d82642
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
China UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Group 72
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting. Ref: https://attack.mitre.org/groups/G0001/


Technique Technique name Tactics Evidence
T1001.002 Steganography TA0011
  • Data Obfuscation: Steganography - Axiom has used steganography to hide its C2 communications. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Axiom has used RDP during operations. · ref
T1546.008 Accessibility Features TA0003 TA0004
  • Event Triggered Execution: Accessibility Features - Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence. · ref
T1563.002 RDP Hijacking TA0008
  • Remote Service Session Hijacking: RDP Hijacking - Axiom has targeted victims with remote administration tools including RDP. · ref
T1583.002 DNS Server TA0042
  • Acquire Infrastructure: DNS Server - Axiom has acquired dynamic DNS services for use in the targeting of intended victims. · ref
T1583.003 Virtual Private Server TA0042
  • Acquire Infrastructure: Virtual Private Server - Axiom has used VPS hosting providers in targeting of intended victims. · ref
T1584.005 Botnet TA0042
  • Compromise Infrastructure: Botnet - Axiom has used large groups of compromised machines for use as proxy nodes. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.