Flax Typhoon

Threat Actor Profile Updated 12 days ago

Download STIX

Preview STIX

Flax Typhoon, also known as RedJuliett and Ethereal Panda in different cybersecurity circles, is a threat actor linked to China that has been actively targeting Taiwan. The group's activities have been closely monitored by several cybersecurity firms, including Microsoft and CrowdStrike. The use of multiple aliases for the same group is a common practice in the cybersecurity industry due to varying naming conventions. In August 2023, Microsoft reported that Flax Typhoon had exploited vulnerabilities in public-facing servers to infiltrate networks. The group deployed a VPN connection to network infrastructure controlled by the threat actors to collect credentials from compromised systems. This campaign predominantly targeted Taiwanese organizations. Flax Typhoon used the open-source client and server VPN software SoftEther to generate multiple TLS certificates to communicate with targeted networks. The Insikt Group's report indicates that RedJuliett, another alias for Flax Typhoon, intensifies Taiwanese cyber-espionage via network perimeter. The overlap between these groups suggests a coordinated effort to compromise Taiwanese digital assets. Given the persistent nature of these attacks, it's evident that Flax Typhoon represents a significant ongoing cybersecurity threat.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ethereal Panda	6	Ethereal Panda, also known as Flax Typhoon, is a threat actor believed to be based in China. The activities of this group strongly overlap with those reported under the aliases Flax Typhoon by Microsoft and Ethereal Panda by CrowdStrike. This correlation suggests that Ethereal Panda operates as a na
Redjuliett	2	RedJuliett, a Chinese state-sponsored threat actor, has been actively targeting the infrastructure of approximately 75 organizations across government, academic, and technology sectors in multiple countries. The group is particularly focused on Taiwan, where it has launched attacks against 24 differ

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Vpn

Malware

Espionage

Web Shell

Taiwanese

Microsoft

Exploit

Chinese

Taiwan

Lateral Move...

Windows

Credentials

Asia

Vulnerability

Source

Ransomware

China

Chromium

Government

Symantec

Securityweek

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
China Chopper	Unspecified	2	China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Hive	Unspecified	1	Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Mulberry Typhoon / Manganese	Unspecified	1	None
Volt Typhoon	Unspecified	1	Volt Typhoon, a threat actor linked to China, has been identified as a significant cyber threat with strong operational security. Known for their sophisticated Advanced Persistent Threat (APT) activities, this group has been associated with the KV-Botnet and has remained undetected within U.S. infra
Storm-0558	Unspecified	1	Storm-0558, a threat actor believed to be operating on behalf of the Chinese government, has been identified by Microsoft as the group responsible for a significant breach involving customer email accounts. The attack was initiated through Outlook Web Access in Exchange Online and Outlook.com, with
Charcoal Typhoon	Unspecified	1	Charcoal Typhoon, a China-affiliated threat actor, has been identified as one of the state-backed groups using OpenAI's ChatGPT for malicious purposes. The group is known for focusing on tracking groups in Taiwan, Thailand, Mongolia, Malaysia, France, Nepal, and individuals globally that oppose Chin

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Flax Typhoon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	5 days ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	6 days ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	12 days ago	Security Affairs Malware Newsletter - Round 2
Recorded Future	18 days ago	Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation \| Recorded Future
Securityaffairs	20 days ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	a month ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	a month ago	Chinese Hackers Caught Spying on Taiwanese Firms
InfoSecurity-magazine	a month ago	China-Based RedJuliett Targets Taiwan in Cyber Espionage Campaign
Recorded Future	a month ago	Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation \| Recorded Future
Securityaffairs	a month ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a month ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	4 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 462 by Pierluigi Paganini