Threat Actor Profile: Axiom 

Axiom, also known as Group 72, is an advanced state-sponsored cyber threat actor primarily targeting high-value organizations across Asia and the United States. Known for its precise and well-funded cyberespionage campaigns, Axiom has a comprehensive suite of malware tools designed to infiltrate, persist, and exfiltrate data from victim networks.  

Operating mainly in the Asia-Pacific region, Axiom focuses on critical industries such as aerospace, defense, manufacturing, and media. Their primary targets include organizations in Japan, South Korea, Taiwan, and the United States, countries where intellectual property and sensitive information are highly valuable. 

The group’s attack methods blend traditional and innovative techniques, ranging from watering-hole attacks on trusted websites to spear-phishing campaigns and exploitation of vulnerable public-facing applications. These tactics provide the initial foothold for their malware implants. 

The Malware Toolkit 

Axiom’s effectiveness stems largely from its diverse and adaptable malware toolkit. Below is an in-depth look at their primary malware families and their unique capabilities. 

BlackCoffee (ZoxPNG) 

BlackCoffee, also referred to as ZoxPNG, has been in use since at least 2013. It is a relatively simple but stealthy Remote Access Trojan (RAT) that uses an ingenious method for command-and-control communications: embedding commands within PNG image files. This approach allows the malware to blend in with normal network traffic, making detection by traditional security systems difficult. 

Supporting 13 distinct commands, BlackCoffee enables attackers to execute arbitrary code on compromised machines, allowing a broad range of malicious activities such as data exfiltration and system manipulation. However, it notably lacks advanced features like keylogging or screen capture. To compensate, attackers deploy supplemental shell-code binaries to extend their capabilities, tailoring attacks as needed. 

HiKit 

HiKit is one of the more RAT tools employed by Axiom, designed primarily for long-term persistence and stealthy data exfiltration after the initial breach. It exists in at least two generations: the first operates as a server-side implant within the victim’s network, while the second functions as a client beaconing out to C2 servers. 

The RAT offers a suite of functionalities including remote command shell access, file management, network proxying, and port forwarding. These features allow operators to maintain remote control, navigate complex network environments, and discreetly extract sensitive data over extended periods without raising suspicion. 

ZoxRPC 

ZoxRPC is an older remote access tool linked to Axiom, with a compilation date as far back as July 2008. Its longevity demonstrates the group’s long-standing reliance on RAT technology and its evolutionary approach to malware development. Although its direct connection to BlackCoffee/ZoxPNG remains unclear due to the time gap, ZoxRPC similarly facilitates unauthorized access, remote control, and data theft. 

Tactics for Control, Persistence, and Evasion 

Beyond malware deployment, Axiom’s operational techniques are multilayered: 

• Initial Access: They leverage watering-hole attacks, spear-phishing, and exploit public-facing vulnerabilities to gain initial entry. 

• Execution and Persistence: After infiltration, they exploit known system vulnerabilities and hijack administrative accounts. Manipulating accessibility features on infected devices helps maintain persistence while minimizing detection. 

• Credential Access and Lateral Movement: Axiom dumps credentials directly from operating systems, enabling them to move laterally through networks using remote desktop protocols and hijacking active sessions. 

• Stealth and Evasion: The group frequently uses trusted digital certificates to sign their malware, reducing suspicion by endpoint security tools. Additionally, they employ steganography, hiding C2 communications within normal-looking files or images to avoid detection. 

• Data Collection and Exfiltration: Data stolen from compromised systems is carefully compressed and encrypted before exfiltration. Dynamic DNS services further support their infrastructure by providing flexibility and resilience to their command networks. 

Malware in Action 

Imagine a scenario where Axiom targets a Fortune 500 manufacturing firm. The attackers compromise a website regularly visited by company employees through a watering-hole attack. When an employee visits this trusted site, the malware silently installs on their device. 

Among the first tools deployed could be BlackCoffee, which quietly establishes a covert communication channel with the attackers via PNG image files. Next, HiKit may be installed to grant the operators persistent remote access, enabling them to navigate the internal network, manipulate files, and extract sensitive design documents and proprietary information. 

Throughout the operation, ZoxRPC may be used on legacy or fallback systems, ensuring multiple vectors of control and redundancy in maintaining access. 

Conclusion 

Axiom’s malware tools, like BlackCoffee and HiKit, make them a formidable and stealthy threat in cyber espionage. Defending against such persistent actors requires advanced, intelligence-driven solutions.

Cyble’s AI-native cybersecurity platform offers real-time threat intelligence and autonomous defense capabilities that help organizations stay protected from groups like Axiom. By integrating Cyble’s cutting-edge technology, businesses can better protect themselves from state-sponsored cyber threats.

Defense and Mitigation Strategies 

• Strengthen Email Defenses & Training: Use advanced email filters and train employees to spot spear-phishing attempts. 

• Patch & Harden Public Systems: Keep all public-facing apps updated and secure to block common exploits. 

• Limit Access & Segment Networks: Apply least privilege and network segmentation to restrict attacker movement. 

• Use AI-Driven Endpoint Detection: Deploy EDR tools that catch stealthy RAT behaviors and suspicious activity. 

• Monitor for Hidden & Encrypted Traffic: Detect steganography and abnormal DNS or encrypted communications. 

• Secure Credentials & Monitor Access: Use privileged access management and watch for unusual login patterns. 

MITRE ATT&CK Techniques Associated with Axiom 

• Drive-by Compromise (T1189): Uses watering hole attacks to gain access. 

• Exploit Public-Facing Application (T1190): Employs SQL injection to infiltrate systems. 

• Phishing (T1566): Uses spear phishing to initially compromise victims. 

• Exploitation for Client Execution (T1203): Exploits multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893. 

• Valid Accounts (T1078): Uses previously compromised admin accounts for privilege escalation. 

• Accessibility Features (T1546.008): Uses Sticky Keys replacement within RDP sessions to maintain persistence. 

• Subvert Trust Controls (T1553): Delivers malware signed with trusted digital certificates. 

• OS Credential Dumping (T1003): Dumps credentials from operating systems. 

• Remote Desktop Protocol (T1021.001): Utilizes RDP for lateral movement. 

• RDP Hijacking (T1563.002): Uses remote admin tools, including hijacking RDP sessions. 

• Data from Local System (T1005): Collects data from compromised systems.