Nation-State Actor

Flax Typhoon

China • Active since 2021

Flax Typhoon is a Chinese hacking group that barely uses any malware. They break in and then only use tools already on your computers, making them very hard to detect.

Overview

Flax Typhoon is a Chinese state-sponsored threat group that uses minimal malware, instead relying heavily on living-off-the-land techniques and legitimate tools for persistence and lateral movement.

Also Known As

Ethereal Panda

Target Industries

Government, Education, Manufacturing, Technology, Critical Infrastructure

Target Regions

Taiwan, Southeast Asia, United States

Is your business exposed?

Tactics, Techniques & Procedures

  • Living off the land
  • VPN software for persistence
  • RDP tunneling
  • Minimal malware footprint
  • Web shell deployment

Known Tools & Malware

LOLBins, WMI, RDP, SoftEther VPN, Minimal custom malware

Notable Campaigns

Taiwan Critical Infrastructure (2023)

Microsoft reported targeting of Taiwan organizations.

IoT Botnet Operations (2024)

FBI disrupted botnet using compromised IoT devices.

MITRE ATT&CK Techniques

T1059, T1021.001, T1133, T1505.003, T1078

Defense Recommendations

  1. 1.

    Monitor LOLBin usage patterns

  2. 2.

    Block unauthorized VPN software

  3. 3.

    Implement RDP usage monitoring

Related Threat Actors

Volt Typhoon, Salt Typhoon

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices