🇨🇳

Flax Typhoon

APT Group Information theft and espionage 11 zero-day CVEs ETDA ✓

Also Known As 2 names

Ethereal Panda Storm-0919

Target Countries 12

Countries highlighted in red

Argentina Djibouti Hong Kong Kenya Republic of Korea Malaysia Philippines Paraguay Rwanda Slovakia Province of China Taiwan United States

Sectors Targeted

IT National Security and International Affairs 928110 Pharmaceutical and Medicine Manufacturing 32541 Engineering Services 54133 Investigation, Guard, and Armored Car Services 56161 Utilities 22 Education Computer Systems Design and Related Services 54151 Computer Systems Design and Related Services 5415 Government Manufacturing Justice, Public Order, and Safety Activities 9221 Finance and Insurance 52 Computer Systems Design Services 541512 Construction 23 Grantmaking and Giving Services 8132

Details

Origin 🇨🇳 CN

Last Updated 27 Jan 2024

Malware Families 1

elf.nosedive

MITRE ATT&CK 33

T1003 - OS Credential Dumping T1021 - Remote Services T1027 - Obfuscated Files or Information T1029 - Scheduled Transfer T1036 - Masquerading T1040 - Network Sniffing T1043 - Commonly Used Port T1055 - Process Injection T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1068 - Exploitation for Privilege Escalation T1070 - Indicator Removal on Host T1071 - Application Layer Protocol T1071.001 - Web Protocols T1078 - Valid Accounts T1087 - Account Discovery T1090 - Proxy T1102 - Web Service T1104 - Multi-Stage Channels T1105 T1133 - External Remote Services T1140 - Deobfuscate/Decode Files or Information T1187 - Forced Authentication T1190 - Exploit Public-Facing Application T1498 - Network Denial of Service T1499 - Endpoint Denial of Service T1505 - Server Software Component T1543 - Create or Modify System Process T1557 - Man-in-the-Middle T1564 - Hide Artifacts T1566 - Phishing T1566.001

Related Zero-Days 11

CVE-2016-5195 CVE-2021-26855 CVE-2023-46805 CVE-2024-12356 CVE-2024-21887 CVE-2024-3400 CVE-2024-4947 CVE-2025-0282 CVE-2025-1316 CVE-2025-53770 CVE-2025-53771

Known Names 3 entries

Flax Typhoon Microsoft

Ethereal Panda CrowdStrike

RedJuliett Recorded Future

Observed Target Countries 10

Based on ETDA data — countries highlighted in red

Djibouti Hong Kong Kenya Laos Malaysia Philippines Rwanda South Korea Taiwan USA

Description

(Microsoft) Flax Typhoon has been active since mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan. Some victims have also been observed elsewhere in Southeast Asia, as well as in North America and Africa. Flax Typhoon focuses on persistence, lateral movement, and credential access. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. Flax Typhoon is known to use the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. However, Flax Typhoon primarily relies on living-off-the-land techniques and hands-on-keyboard activity. Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Following initial access, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then deploy a VPN connection to actor-controlled network infrastructure, and finally collect credentials from compromised systems. Flax Typhoon further uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.

Tools Used 7

China Chopper BadPotato JuicyPotato Metasploit Mimikatz SoftEther VPN Living off the Land

Operations 2

2023 Mid Derailing the Raptor Train https://blog.lumen.com/derailing-the-raptor-train/

2023-11 Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-0624.pdf

Reports & References 2

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ https://www.ic3.gov/CSA/2024/240918.pdf

ETDA Profile

Flax Typhoon

Origin

China

First Seen 2021

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗