Flax Typhoon

flax-typhoon · primary source: Microsoft · first observed 2021

CN · ChinaState-sponsoredHigh confidencelast cited Sep 17, 2024 · 1.7y ago

PRC state-affiliated intrusion set operating through Integrity Technology Group — a Beijing-based, publicly-traded cybersecurity contractor sanctioned by the U.S. Treasury OFAC in January 2025. Specialized in compromising internet-facing IoT devices (routers, IP cameras, NVRs, storage devices) to build a residential-IP proxy botnet. The FBI disrupted a 260,000-device botnet attributed to the group on 18 September 2024, freeing devices spread across the United States, Vietnam, Germany, and other countries.

Aliases

Ethereal PandaCrowdStrikeRedJuliettOther

Motivations

espionageinfrastructure

Target sectors

governmentacademiamediatelecommunicationsmanufacturing

Target countries

USVNDEROZAFRGB

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Flax Typhoon
China
espionage
infrastructure

Capability

Infrastructure

w8510.com

Victim

government
academia
media
US
VN
+1 more

MITRE ATT&CK techniques

T1190 T1059.003 T1078 T1090

Timeline

1 event

SanctionHigh2024-09-18·U.S. Federal Bureau of Investigation
FBI disrupts 260,000-device Flax Typhoon IoT botnet
FBI Director Christopher Wray announced at the Aspen Cyber Summit that the FBI and partners had disrupted a botnet of 260,000+ compromised IoT devices (routers, IP cameras, NVRs, storage devices) operated by PRC-affiliated Flax Typhoon, identified as operating through Integrity Technology Group — a Beijing-based publicly-traded cybersecurity contractor. Of the compromised devices, approximately half were in the United States. Treasury OFAC subsequently sanctioned Integrity Technology Group in January 2025.
botnettakedowniotchina

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
Name	vpnbridge.exe SoftEther VPN bridge binary renamed by Flax Typhoon to `conhost.exe` or `dllhost.exe` to masquerade as Windows system components. Microsoft's August 2023 advisory describes this as the actor's signature persistence mechanism, used to tunnel SoftEther over HTTPS to TCP/443.	Aug 23, 2023	Microsoft Threat Intelligence
SHA-1	7992c0a816246b287d991c4ecf68f2d32e4bca18 SHA-1 fingerprint of a TLS certificate observed on Flax Typhoon SoftEther VPN bridge infrastructure, published in the August 2023 Microsoft Threat Intelligence disclosure `Flax Typhoon using legitimate software to quietly access Taiwanese organizations`.	Aug 23, 2023	Microsoft Threat Intelligence
Domain	w8510[.]com Tier-2 C2 root domain for the `Oriole` campaign of the Raptor Train IoT botnet operated by Flax Typhoon - linked by DOJ/FBI to Beijing-based Integrity Technology Group. Active June 2023 through the FBI takedown announced September 2024; documented by Lumen Black Lotus Labs.	May 31, 2023	Lumen Black Lotus Labs

Related actors

shared ATT&CK techniques

CN · ChinaAPT33 shared techniques
KP · DPRKAndariel2 shared techniques
- T1078
- T1190
RU · RussiaDragonfly2 shared techniques
- T1078
- T1190
CN · ChinaGTG-10022 shared techniques
- T1078
- T1190
IR · IranPioneer Kitten2 shared techniques
- T1078
- T1190
CN · ChinaPLA Unit 544662 shared techniques
- T1078
- T1190

References

cite this page

Threat Intel Tracker. (2026-05-19). Flax Typhoon — actor profile. Retrieved from https://threatintel.local/actors/flax-typhoon

latest cited activity · 2024-09-18 · 3 cataloged indicators