Flax Typhoon

Threat Actor updated a month ago (2024-11-29T13:58:24.435Z)

Download STIX

Preview STIX

Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, government organizations, and private companies. They are one of several Advanced Persistent Threats (APTs) sponsored by China, including Salt Typhoon and Volt Typhoon, which Microsoft has publicly disclosed. Flax Typhoon's activities have been observed across different sectors, including IT, military, and governmental interests around the South China Sea. A distinctive feature of Flax Typhoon's operations is its extensive use of SoftEther VPN, an open-source, cross-platform VPN software favored by many cybercriminals. The group has been observed switching from its full-featured backdoor to using the SoftEther VPN Bridge on machines of governmental organizations in the EU. Furthermore, they've deployed SoftEther VPN servers at telecommunications operators in Africa. This shift towards common VPN software aligns with tactics observed in other China-backed APTs such as Gallium and Webworm. Recently, Lumen Technologies' threat intelligence group, Black Lotus Labs, detailed a botnet linked to Flax Typhoon that used a modified version of the Mirai internet-of-things malware to compromise routers, modems, IP cameras, NAS servers, and digital video recorders. The experts believe this botnet is controlled by Flax Typhoon, further cementing the group's reputation for stealthy and persistent cyber operations. Flax Typhoon's activities pose a significant threat to global cybersecurity, highlighting the need for robust defense mechanisms against such sophisticated attacks.

Description last updated: 2024-11-15T16:05:50.166Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ethereal Panda is a possible alias for Flax Typhoon. Ethereal Panda, also known as Flax Typhoon or RedJuliett, is a threat actor believed to be linked to the Chinese government. This group has been involved in various cyber espionage activities targeting organizations primarily in Taiwan. Reports from cybersecurity firms such as Microsoft and CrowdStr	6
Redjuliett is a possible alias for Flax Typhoon. RedJuliett, also known as Flax Typhoon and Ethereal Panda, is a China-linked Advanced Persistent Threat (APT) group that has been reported to control a botnet for malicious activities. This state-sponsored group has been persistently launching espionage attacks on numerous organizations since 2023.	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Vpn

Chinese

Botnet

Malware

Espionage

Windows

Microsoft

Exploit

Lateral Move...

Source

Taiwan

Taiwanese

Web Shell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The China Chopper Malware is associated with Flax Typhoon. China Chopper is a well-known malware that has been used extensively by Chinese-speaking actors, including the BRONZE UNION group. The malware is designed to exploit and damage computer systems, often without the knowledge of the user. It can infiltrate systems through suspicious downloads, emails,	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The GALLIUM Threat Actor is associated with Flax Typhoon. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar	Unspecified	3
The Volt Typhoon Threat Actor is associated with Flax Typhoon. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments	Unspecified	2

Source Document References

Information about the Flax Typhoon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	China's Cyber Offensives Helped by Private Firms, Academia
BankInfoSecurity	a month ago	Hackers Lurking in Critical Infrastructure to Wage Attacks
ESET	2 months ago	ESET APT Activity Report Q2 2024–Q3 2024
DARKReading	2 months ago	China-Backed MirrorFace Trains Sights on EU Diplomats
BankInfoSecurity	2 months ago	Breach Roundup: Chinese Cyberespionage Using Open Source VPN
BankInfoSecurity	2 months ago	Chinese Hackers Tied to US National Security Eavesdropping
DARKReading	2 months ago	China's Elite Cyber Corps Hone Skills on Virtual Battlefields
InfoSecurity-magazine	2 months ago	Microsoft: Nation-States Team Up with Cybercriminals for Attacks
BankInfoSecurity	3 months ago	Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos
Securityaffairs	3 months ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	3 months ago	China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs
InfoSecurity-magazine	3 months ago	US House Bill Addresses Growing Threat of Chinese Cyber Actors
BankInfoSecurity	3 months ago	Raptor Train Botnet Infects 260,000 Devices Globally
DARKReading	3 months ago	FBI Leads Takedown of Chinese Botnet Impacting 200K Devices
InfoSecurity-magazine	3 months ago	Western Agencies Warn Risk from Chinese-Controlled Botnet
Securityaffairs	3 months ago	Experts warn of China-linked APT's Raptor Train IoT Botnet
Securelist	4 months ago	Most interesting IR cases in 2023: insider threats and more
Securityaffairs	4 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	5 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 3