Flax Typhoon Cyber Operation: A Deep Dive into China’s Stealthiest Cyber Espionage
The Flax Typhoon cyber attack is a cloak-and-dagger campaign that is carried out by a Chinese state-sponsored hacking organization. Begun in mid-2021 and active today, this espionage campaign primarily targets government agencies, academia, critical manufacturing, and IT sectors–especially in Taiwan, but also reaching the U.S., Europe, and beyond. It primarily relies on the use of legitimate tools instead of obvious malware.
Understanding the Flax Typhoon FBI Connection
In the early 2025s, at the beginning of 2025, the early 2025, U.S. Department of Justice and the FBI carried out a court-approved operation that shut down a botnet of massive botnet operated through Flax Typhoon. Dubbed “Raptor Train” by Black Lotus Labs and “KRLab” publicly, this botnet commandeered over 260,000 infected devices, such as cameras, routers, and storage units secureblink.com+12justice.gov+12microsoft.com+12axios.com+4axios.com+4justice.gov+4. The operation revealed a China-based firm–Integrity Technology Group–functioning as the group’s front and supplying the hacker infrastructure reuters.com+5justice.gov+5reuters.com+5.
FBI Director Wray said it was “just one round in a much longer fight” and confirmed that the disruption liberated hundreds of computers from the grip of Flax Typhoon.
Why the Flax Typhoon botnet Was So Dangerous
Honey-pot analysis by Global Cyber Alliance’s AIDE platform exposed how the botnet targeted SoftEther VPN ports, abused web shells like China Chopper, and used legitimate Windows tools–LOLBins–for stealth txone.com+2globalcyberalliance.org+2microsoft.com+2
Flax Typhoon used Living Off the Land (LOLBins) to perform tasks without malware! This includes PowerShell, certutil, WMIC, and more globalcyberalliance.org+10microsoft.com+10cfr.org+10.
They hacked authentic connectivity (e.g., SoftEther VPN tunneling over HTTPS via Port 443) to avoid detection
Geographic Scope & Espionage Impact
Although Taiwan remains the primary target, sensors placed globally by AIDE in the U.S., Germany, and South Korea picked up Flax Typhoon activity fortiguard.com+15globalcyberalliance.org+15cyberscoop.com+15. In March the month of March and August, honeypots located in Taiwan experienced significant spikes, which were in line with warnings issued by the Ministry of Digital Affairs.
How It Works: Flax Typhoon Operating Methodology
1. Infiltration through Zero-Day as well as Web Shells
Attackers exploit exposed servers (Web, VPN, SQL, Java), deploying China Chopper web shells for remote control microsoft.com+1txone.com+1.
2. Privilege Escalation
They elevate permissions using Juicy Potato or BadPotato, followed by deploying LOLBins for legitimate-looking persistence microsoft.com+1txone.com+1.
3. Persistence & VPN Establishment
Threat actors disable Windows NLA, abuse Sticky Keys to gain SYSTEM privileges, and install SoftEther VPN renamed as legit binaries microsoft.com+1txone.com+1.
4. Reconnaissance & Credential Theft
Using Mimikatz and registry dumps (LSASS/SAM), they capture credentials for lateral movement–but they don’t immediately exfiltrate data microsoft.com+1txone.com+1.
5. Long-Term Espionage Holding Pattern
Once persistence is established, Flax Typhoon recedes into the network, lying inactive until it is needed. It’s espionage patience at its finest axios.com+15microsoft.com+15cfr.org+15.
Making Comparisons: Salt Typhoon, Volt Typhoon Campaigns, and Other Events. The Flax Typhoon is not alone. Similar methods are used by related Chinese APTs:
Using living-off-the-land methods, Volt Typhoon focuses on U.S. critical infrastructure, routers, and VPNs (record.media +11 en.wikipedia.org +11 microsoft.com +11).
In order to capture call logs, Salt Typhoon breached US telecom companies, including AT&T and Verizon (fr.wikipedia.org +2, en.wikipedia.org +,2 reuters.com +2).
In keeping with China’s extensive cyber arsenal, other “Typhoons” like Brass Typhoon also show up in industry naming conventions.
The MITRE ATT&CK framework frequently maps these organisations’ shared techniques—VPN misuse, web shells, LOLBins—including initial access (T1190), persistence (T1547), credential dumping (T1003), and more.
Where Flax Typhoon Mitre Fits into the Bigger Picture:
Applying MITRE ATT&CK to Flax Typhoon’s Strategies reveals:
First Access: Take advantage of open servers (T1190).
Abuse of sticky keys (T1553), web shells (T1505), and SoftEther VPN (T1572) are examples of execution and persistence.
Credential Access: SAM/LSASS dumping, Mimikatz (T1003).
Lateral Movement: WinRM, WMIC, and RDP.
Defence Evasion: Off-the-land living, also known as binaries.
Organisations utilising frameworks such as AIDE, Microsoft Defender, or Sentinel can greatly enhance detection and response maturity by comprehending this mapping.
Story:
When a Router Overheard Consider the network of a Taiwanese university in early August 2023. One of the professors noticed that their home router was blinking more than normal. As it turns out, Flax Typhoon had surreptitiously tunnelled over SoftEther VPN, pivoting into servers by leveraging the campus router as a foothold. They stayed concealed until simultaneous SSH, Telnet, and HTTP Shell POST requests were detected by AIDE’s honeypots, just before an all-staff alert was sent.
If AIDE hadn’t disseminated the information throughout its global network of honeypots, the tiny blinking light may have gone unnoticed.
7 Reasons to Care (And Make a Confident Purchase)
You’re investing in the future of your company by being aware of and protecting against flax typhoon cyber operations:
Comfort: Be certain that the Chinese government does not covertly control your edge devices, servers, and login credentials.
Resilience in strategy: VPN blocks, behavior-monitoring agents, and live listeners make your environment unappealing to cunning adversaries.
Regulatory preparedness: Advanced defence is required by compliance regulations such as NIS2, SOX, or HIPAA.
Give yourself access to resources and services based on international intelligence, such as Microsoft Defender, GCA’s AIDE, the CISA alliance, or expert cybersecurity advice. These are investments in long-term stability, trust, and security rather than goods.Just like the IGT cyberattack showed how quiet threats can cause big problems, the Flax Typhoon Cyber Operation proves that even silent hackers can seriously harm important systems.
FAQ
Q1: How does the FBI relate to Flax Typhoon?
Early in 2025, the FBI dismantled the Flax Typhoon under court order. The FBI contacted victims through ISPs, stopped the botnet, and deleted malware from thousands of compromised devices.
Q2: How big was the botnet known as Flax Typhoon?
At its peak, the botnet covered more than 260,000 devices on six continents, including storage units, routers, and webcams.
Axios.com.
Q3: What was revealed in the Microsoft report about Flax Typhoon?
Microsoft disclosed in a report released on August 24, 2023, the group’s dependence on authentic tools, usage of SoftEther VPN, China Chopper web shells, and credential-stealing techniques.
Q4: What is the difference between Volt Typhoon campaigns?
Both Flax Typhoon and Volt are Chinese state-sponsored APTs that employ off-the-grid strategies. Flax concentrates on covert espionage, while Volt targets vital U.S. infrastructure.
Q5: How about Brass Typhoon and Salt Typhoon APT?
U.S. networks, including Verizon and AT&T, were compromised by Salt Typhoon. Another new name with comparable strategies is Brass Typhoon. Although these groups have similar foundations, their target focus is different.
Q6: What is the connection between this and Flax Typhoon Mitre?
The TTPs of Flax Typhoon—first access, web shell execution, credential dumping, VPN tunnelling persistence, lateral movement, and stealth evasion—are quite similar to those of MITRE ATT&CK. This paradigm aids defenders in efficiently identifying and thwarting tactics.