IOC pivotioc · name
vpnbridge.exe
CN · ChinaFlax Typhoonconfidence · high
SoftEther VPN bridge binary renamed by Flax Typhoon to `conhost.exe` or `dllhost.exe` to masquerade as Windows system components. Microsoft's August 2023 advisory describes this as the actor's signature persistence mechanism, used to tunnel SoftEther over HTTPS to TCP/443.
- first seen
- Aug 23, 2023
- publisher
- Microsoft Threat Intelligence