flax-typhoon

Flax Typhoon

also tracked as: Ethereal Panda (CrowdStrike) RedJuliett (Recorded Future) Fuzhou-based (Insikt Group) Integrity Technology Group (front company)

A Chinese espionage group with a dual identity: as Flax Typhoon it conducts stealthy LotL-heavy intrusions into Taiwanese government, education, and technology organizations; as the operator of the Raptor Train botnet (linked to front company Integrity Technology Group) it maintained a 260,000-device IoT/SOHO botnet used for espionage relay and global C2 infrastructure. Microsoft first reported Flax Typhoon in August 2023. Recorded Future's Insikt Group assessed the group operates from Fuzhou, Fujian Province, in support of Beijing's intelligence collection goals regarding Taiwan's economic policy, diplomatic relations, and critical technology development. The FBI and DOJ disrupted the Raptor Train botnet in September 2024 — Integrity Technology Group was subsequently sanctioned by the US Treasury in January 2025.

attributed sponsorChina — MSS (Ministry of State Security)

assessed base of operationsFuzhou, Fujian Province, China (Insikt Group)

active sinceMid-2021 (assessed); Raptor Train May 2020

primary targetsTaiwan — government, education, manufacturing, IT, telecom

secondary targetsUS military/gov/DIB; SE Asia; North America; Africa

raptor train peak60,000 active devices (Jun 2023); 260,000+ total

front companyIntegrity Technology Group — Beijing-based; US-sanctioned Jan 2025

botnet disruptedSep 18, 2024 (FBI/DOJ court-authorized operation)

defining tacticLotL — SoftEther VPN-over-HTTPS; renamed system binaries

Overview

Flax Typhoon is documented across two distinct operational modes that together represent one of the more sophisticated Chinese state espionage architectures publicly disclosed. The first mode is the direct intrusion campaign — persistent, low-noise access into Taiwanese organizations using living-off-the-land (LotL) binaries, legitimate VPN software, and stolen credentials, with minimal custom malware footprint. The second is the Raptor Train botnet — a massive multi-tiered IoT/SOHO device network operated since at least May 2020, attributed by the FBI to Integrity Technology Group, a Beijing-based company whose chairman publicly acknowledged collecting intelligence and performing reconnaissance for China's government.

Microsoft published the foundational Flax Typhoon profile in August 2023, documenting the group's Taiwan-focused intrusion campaign. CrowdStrike had separately tracked the same activity cluster as Ethereal Panda, noting identical SoftEther VPN reliance and the use of Godzilla webshell. Recorded Future's Insikt Group published a comprehensive RedJuliett campaign analysis covering November 2023 to April 2024, identifying 24 confirmed victim organizations and reconnaissance attempts against over 70 Taiwanese entities. Insikt Group placed the group in Fuzhou based on administrative IP geolocation and operational timing patterns.

The Raptor Train botnet — named by Lumen Technologies' Black Lotus Labs, which began investigating the infrastructure in mid-2023 — was publicly disclosed and disrupted in September 2024. At its peak in June 2023, the botnet comprised over 60,000 actively compromised devices; over its four-year operational history more than 260,000 SOHO routers, NVR/DVR devices, NAS servers, and IP cameras were conscripted into the network. The FBI's court-authorized operation took control of Integrity Technology Group's infrastructure and sent disabling commands to infected devices — an action Integrity Technology Group contested by launching a DDoS attack against the FBI's operational servers during the remediation.

Both operational modes serve the same intelligence collection purpose: the direct intrusion campaigns focus on Taiwanese organizations and their government and diplomatic networks, while the botnet provides global C2 relay infrastructure that obscures traffic origins, enables scanning and reconnaissance against US and Taiwanese military and government targets, and potentially positions for future disruptive operations. The US sanctions on Integrity Technology Group in January 2025 represent one of the most direct public attributions of a Chinese cybersecurity contractor to active state-sponsored intrusion operations.

Raptor Train Botnet

Raptor Train is a three-tier botnet architecture operated since May 2020, managed by Integrity Technology Group and attributed to Flax Typhoon by Black Lotus Labs, the FBI, NSA, and CNMF.

Tier 1 — Compromised Devices (Bots)

IoT/SOHO Device Layer

SOHO routers, NVR/DVR recorders, NAS servers, IP cameras, load balancers — infected via known exploits using a custom Mirai variant. Over 200,000 unique devices compromised since May 2020. Peak: 60,000+ active devices (Jun 2023). As of June 2024, the MySQL database on management servers contained over 1.2 million records of compromised devices including over 385,000 unique US victim devices. Devices self-delete malware artifacts to complicate forensics.

Tier 2 — C2 Nodes

Command & Control Servers

Rotated approximately every 75 days. Primarily hosted in the US, Singapore, UK, Japan, and South Korea. Grew from 1–5 C2 nodes (2020–2022) to 30+ (early 2024) to 60+ by Jun–Aug 2024. C2 domain w8510.com became so prominent it appeared in Cloudflare Radar's top 1 million domains by August 2024 — enabling circumvention of domain whitelist-based security controls. Tier 2 nodes also serve as exploitation and payload servers.

Tier 3 — Management

Sparrow Controller

Upstream management servers communicate with Tier 2 via TCP port 34125 (unique TLS certificate) and SSH port 22. Host the Sparrow application — a Node.js backend with Electron front-end — allowing registered users to manage and control the botnet, issue DDoS and exploitation commands, and collect data. IP addresses registered to China Unicom Beijing Province Network accessed Sparrow — the same IPs previously used in Flax Typhoon intrusion activities. Tier 3 management sessions observed exclusively during Chinese working hours.

Black Lotus Labs identified four distinct campaigns within Raptor Train's operational history: Crossbill (May 2020–Apr 2022, root domain k3121.com), Finch (Jul 2022–Jun 2023, root domain b2047.com), Canary (May 2023–Aug 2023), and Oriole (Jun 2023–present, root domain w8510.com — the campaign active at the time of the September 2024 disruption). The botnet was used for targeting scanning against US military, US government, IT providers, and Defense Industrial Base organizations in late December 2023, and for exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (CVE-2024-21887) in US and Taiwanese critical sectors.

Target Profile

Taiwan — Primary: Government agencies at national and local level, educational institutions (universities have been both targets and compromised infrastructure used to host RedJuliett's SoftEther servers), critical manufacturing, IT and technology companies, telecommunications providers, and diplomatic entities including de facto embassies operating in Taiwan. Approximately 60% of RedJuliett's identified victim organizations between November 2023 and April 2024 were in Taiwan.
Taiwan — Diplomatic Network: RedJuliett targeted organizations in Laos, Kenya, and Rwanda — countries maintaining specific diplomatic or economic relationships with Taiwan. The targeting of Djibouti, Hong Kong, South Korea, Malaysia, the Philippines, and the US was also documented. This pattern supports the assessment that intelligence collection focuses on Taiwan's external relationships and diplomatic standing.
US Military, Government, and Defense Industrial Base: Raptor Train botnet operators conducted targeting of US military organizations, government agencies, IT providers, and DIB entities — scanning activities documented in late December 2023. As of June 2024, over 385,000 unique US victim devices were recorded in the Sparrow management database, though device compromise for botnet enrollment differs from direct targeted intrusion.
Southeast Asia, North America, and Africa: Flax Typhoon's direct intrusion activity extends beyond Taiwan into Southeast Asian countries, North America, and Africa — consistent with the broader Chinese espionage apparatus's global collection mandate. The geographic expansion likely reflects interest in organizations with direct relationships to Taiwan or to technology sectors of strategic interest to Beijing.

Tactics, Techniques & Procedures

Flax Typhoon TTPs as documented by Microsoft (Aug 2023), CrowdStrike (Ethereal Panda, Feb 2023), Recorded Future/Insikt Group (RedJuliett, Jun 2024), and the FBI/CISA joint advisory (Sep 2024).

mitre id	technique	description
T1190	Exploit Public-Facing Application (Initial Access)	Initial access is consistently achieved by exploiting known vulnerabilities in internet-facing servers and network edge devices — including firewalls, enterprise VPNs, load balancers, and web applications. Documented exploits include Apache Tomcat instances (CrowdStrike, Feb 2023), Dirty Cow Linux privilege escalation (CVE-2016-5195), and vulnerability scanning against Ivanti Connect Secure (CVE-2024-21887) and Atlassian Confluence. Recorded Future documented exploitation of network perimeter devices including firewalls and enterprise VPNs for initial access in the Nov 2023–Apr 2024 campaign.
T1505.003	Web Shell Deployment	China Chopper is the primary web shell deployed for post-exploitation persistence and remote code execution. Additional open-source web shells used in the RedJuliett campaign: devilzShell, AntSword, and Godzilla (the last documented specifically by CrowdStrike as an Ethereal Panda signature tool). Web shells provide persistent server-side access that survives reboots and is difficult to detect without file integrity monitoring on web-facing directories.
T1133 / T1021.001	SoftEther VPN Bridge — Persistent HTTPS Tunnel	Flax Typhoon's most distinctive persistence technique. SoftEther VPN is a legitimate, open-source VPN application that antivirus products do not flag. The group renames the SoftEther executable (vpnbridge.exe) to conhost.exe or dllhost.exe — impersonating legitimate Windows components Console Window Host Process and Component Object Model Surrogate. The VPN connection is configured in VPN-over-HTTPS mode, encapsulating Ethernet packets in compliant HTTPS packets transmitted to TCP port 443, making the traffic indistinguishable from legitimate HTTPS without deep packet inspection. A Windows service is created via Service Control Manager (SCM) to auto-start the VPN bridge on every boot. Microsoft or PowerShell's Invoke-WebRequest, certutil, or Bitsadmin are used to download SoftEther initially.
T1546.008	Sticky Keys Modification — Accessibility Feature Abuse	Flax Typhoon modifies the Windows Sticky Keys accessibility feature (sethc.exe) behavior to launch Task Manager instead of the Sticky Keys dialog when the Shift key is pressed five times at the login screen. This provides pre-authentication system access — an attacker can access Task Manager from the Windows login screen without entering credentials, enabling process management and potentially spawning command shells with system privileges without needing to authenticate.
T1003.001 / T1003.002	Credential Dumping — LSASS and SAM	Mimikatz is deployed to dump credentials from two primary Windows password stores: the Local Security Authority Subsystem Service (LSASS) process memory (T1003.001) and the Security Account Manager (SAM) registry hive (T1003.002). Both contain hashed passwords for locally signed-in users. CrowdStrike also documented ProcDump for LSASS memory dumping as an alternative credential access method. Recovered hashes enable offline cracking or pass-the-hash (PtH) lateral movement attacks against other systems in the network.
T1021.001 / T1090	RDP Persistence and Traffic Proxying	Following initial access, Flax Typhoon establishes persistent RDP access to maintain long-term connection capability to compromised systems. Network traffic — including scanning, vulnerability scanning, and exploitation attempts against other systems — is routed through the SoftEther VPN bridge installed on compromised hosts. This proxying technique disguises attack traffic as originating from legitimate enterprise endpoints rather than attacker-controlled infrastructure, complicating network-layer detection and attribution.
T1018 / T1046	Network Reconnaissance and Vulnerability Scanning via Compromised Hosts	Flax Typhoon uses the SoftEther VPN bridges on compromised systems to route network scanning and vulnerability scanning traffic, scanning for additional targets and vulnerabilities from within trusted network segments. The Raptor Train botnet extended this capability globally — scanning US military, government, and DIB targets in late December 2023 via the botnet's Tier 2 C2 nodes, which also serve as exploitation servers for conscripting new devices.
T1584.005 / T1583.005	Botnet Infrastructure via Compromised IoT Devices	The Raptor Train botnet uses a custom Mirai variant to compromise SOHO routers, NVR/DVR devices, NAS servers, and IP cameras. Compromised devices become Tier 1 bots providing traffic relay and DDoS capacity. C2 domains rotate approximately every 75 days. The w8510.com C2 domain became so prominent by mid-2024 that it appeared in Cloudflare Radar and Cisco Umbrella top-1-million domain lists, allowing it to bypass domain whitelisting-based security controls in enterprise environments.

Known Campaigns

Taiwan Intrusion Campaign — Microsoft Initial Disclosure Mid-2021–Aug 2023

Microsoft published the foundational Flax Typhoon profile in August 2023, documenting persistent intrusion activity against Taiwanese organizations across government agencies, educational institutions, critical manufacturing, and IT companies. Microsoft observed the group gaining access via public-facing server vulnerabilities, deploying China Chopper web shells, establishing SoftEther VPN-over-HTTPS persistence, and dumping credentials via Mimikatz — all while relying primarily on LotL techniques rather than custom malware. Microsoft noted it had not observed the group weaponize access for data-collection and exfiltration at the time of publication — suggesting the activity represented persistent access staging rather than active data theft, which is consistent with pre-positioned espionage operations. Microsoft proactively notified affected customers and shared KQL hunting queries for defenders.

RedJuliett — Taiwan + Africa + SE Asia Campaign Nov 2023–Apr 2024

Recorded Future's Insikt Group documented a sustained campaign from November 2023 to April 2024 targeting government, academic, technology, and diplomatic organizations in Taiwan with secondary targets in Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the US. 24 confirmed victim organizations communicated with RedJuliett infrastructure. Over 70 additional organizations in Taiwan were subject to reconnaissance via vulnerability scanning or exploitation attempts. The group exploited internet-facing firewalls, enterprise VPNs, and load balancers for initial access — expanding the documented exploitation techniques beyond web applications into network edge devices. Insikt Group geolocated administrative activity to Fuzhou, Fujian Province, China, via Chinanet IP addresses. RedJuliett used compromised Taiwanese university infrastructure to host SoftEther VPN servers alongside leased VPS infrastructure.

Raptor Train Botnet — Global IoT Infrastructure May 2020–Sep 2024 (disrupted)

Raptor Train is the most technically significant Flax Typhoon operation by scale. Operational from at least May 2020, the four-campaign botnet (Crossbill, Finch, Canary, Oriole) compromised over 260,000 IoT/SOHO devices across North America, South America, Europe, Africa, Southeast Asia, and Australia. The botnet's Sparrow management application was accessed from China Unicom Beijing Province IPs — the same IPs used in Flax Typhoon direct intrusion activity, directly linking the botnet operators to the intrusion group. In December 2023, botnet operators conducted extensive scanning targeting US military, government, IT providers, and DIB. The FBI and DOJ disrupted the botnet on September 18, 2024, via a court-authorized operation taking control of Integrity Technology Group's infrastructure. Integrity Technology Group responded with a DDoS attack against the FBI's remediation servers. The US Treasury sanctioned Integrity Technology Group in January 2025; the company is publicly traded in China.

Indicators of Compromise

detection note

Flax Typhoon's LotL approach means many behaviors are inherently low-signature — SoftEther is legitimate software, renamed system binaries blend with valid process names, and HTTPS on port 443 is normal. Detection requires behavioral analytics: process ancestry, binary rename detection, SCM service creation from unusual parent processes, and RDP sessions originating from unexpected source IPs. The full IOC list including KQL hunting queries for Microsoft Defender is available in Microsoft's August 2023 blog post. Recorded Future's RedJuliett advisory provides the most current SoftEther TLS certificate SHA-1 fingerprints and active infrastructure IPs.

indicators of compromise — technical identifiers

softether binary rename vpnbridge.exe renamed to conhost.exe or dllhost.exe — legitimate Windows component impersonation

c2 port (softether) TCP 443 (VPN-over-HTTPS mode) — SoftEther traffic indistinguishable from legitimate HTTPS without DPI

botnet mgmt port TCP 34125 — Tier 3 management to Tier 2 C2 communication; unique TLS certificate

raptor train c2 domain w8510.com — Oriole campaign (Jun 2023–Sep 2024); 80+ subdomains; appeared in Cloudflare Radar top 1M

raptor train c2 domains k3121.com (Crossbill); b2047.com (Finch) — earlier campaign root domains

softether tls fingerprint 7992c0a816246b287d991c4ecf68f2d32e4bca18 — active RedJuliett SoftEther server certificate (Recorded Future)

softether tls fingerprint 5437d0195c31bf7cedc9d90b8cb0074272bc55df — active RedJuliett SoftEther server certificate

softether tls fingerprint cc1f0cdc131dfafd43f60ff0e6a6089cd03e92f1 — active RedJuliett SoftEther server certificate

known c2 ip (microsoft) 39.98.208[.]61 — Jul–Aug 2023 timeframe; 45.195.149[.]224 — Jan–Mar 2023; 45.204.1[.]248 — Feb–May 2023

redjuliett domains cktime.ooguy[.]com; www.sofeter[.]ml; www.dns361[.]tk

webshells China Chopper; Godzilla (Ethereal Panda); devilzShell; AntSword — deployed post-exploitation

persistence mechanism Windows Service (SCM) auto-start of renamed SoftEther VPN binary at system boot

accessibility abuse sethc.exe modification (Sticky Keys → Task Manager) — pre-authentication system access at Windows login screen

full ioc reference Microsoft blog (Aug 2023) includes KQL hunting queries; Recorded Future RedJuliett (Jun 2024); CISA/FBI advisory (Sep 2024)

Mitigation & Defense

Detect Renamed SoftEther Binaries via Process Behavior: SoftEther's vpnbridge.exe renamed to conhost.exe or dllhost.exe is the single most actionable behavioral indicator specific to Flax Typhoon. Implement EDR rules alerting when a process named conhost.exe or dllhost.exe establishes persistent HTTPS connections to external IPs on port 443 and is registered as a Windows service — the legitimate conhost.exe and dllhost.exe do not exhibit this behavior. Alert on Service Control Manager (SCM) service creation events where the service binary path contains VPN-related strings or is a renamed binary in unusual filesystem locations.
VPN-over-HTTPS Egress Filtering and Deep Packet Inspection: SoftEther in VPN-over-HTTPS mode encapsulates VPN traffic as HTTPS on TCP 443, making it indistinguishable from legitimate web traffic without DPI. Implement network monitoring capable of inspecting HTTPS session characteristics — specifically, persistent HTTPS connections from server-class systems that carry Ethernet-level packet structures inconsistent with browser or application traffic. Alert on outbound TCP 443 connections establishing and maintaining sessions for extended durations from systems not expected to generate persistent HTTPS sessions.
Monitor TCP Port 34125 Specifically: Raptor Train's Tier 2–Tier 3 communication uses TCP port 34125 with a unique TLS certificate as a distinguishing characteristic. No legitimate enterprise application uses TCP port 34125. Any inbound or outbound traffic on this port should generate an immediate alert. This is a narrow, high-fidelity indicator for Raptor Train botnet infrastructure interaction.
Patch Internet-Facing Network Edge Devices as First Priority: Flax Typhoon's initial access consistently exploits known vulnerabilities in firewalls, enterprise VPNs, load balancers, and web applications. The most effective prevention is aggressive patch management for internet-facing appliances — particularly devices from vendors historically targeted by Chinese state actors including Ivanti, Fortinet, Citrix, and Cisco. Implement network segmentation isolating public-facing services in a DMZ with restricted lateral movement capability.
Accessibility Feature Monitoring — Sticky Keys Replacement: The sethc.exe Sticky Keys modification provides pre-authentication system access. Implement file integrity monitoring on Windows accessibility executables in %SystemRoot%\System32\ — any modification to sethc.exe, utilman.exe, osk.exe, or magnify.exe should generate an immediate critical alert. These files should never change in a normal operating environment.
Secure and Monitor LSASS Process Access: Flax Typhoon uses Mimikatz and ProcDump for LSASS credential dumping. Enable Windows Credential Guard where supported to protect credential material in isolated memory. Configure EDR rules to detect processes attempting to read LSASS memory from non-system process parents. Enable Protected Process Light (PPL) for LSASS on Windows 8.1+ systems to reduce the attack surface available to credential dumping tools.
SOHO and IoT Device Security Against Botnet Enrollment: Raptor Train primarily conscripts consumer SOHO routers, NVR/DVR devices, NAS servers, and IP cameras via known exploits. Change all default device credentials, update firmware regularly, disable remote management interfaces when not required, place IoT devices on isolated network segments separated from corporate systems, and replace devices that are end-of-life and no longer receiving security updates. Consider deploying network monitoring capable of detecting unusual traffic patterns from IoT device segments.
Web Shell Detection on Public-Facing Servers: China Chopper, Godzilla, AntSword, and devilzShell are all deployed as persistence mechanisms after initial access. Implement file integrity monitoring on all web-accessible directories. Deploy web application firewall (WAF) rules blocking common web shell execution patterns. Regularly audit web server directories for unexpected PHP, ASP, or JSP files, particularly those containing encoded or obfuscated content.

analyst note

Flax Typhoon represents a technically mature Chinese espionage capability with two operational dimensions that compound each other's effectiveness. The direct intrusion campaigns are stealthy by design — heavy LotL reliance, renamed binaries, HTTPS-tunneled VPN persistence, and no apparent data exfiltration until intelligence collection goals are met — making detection dependent on behavioral analytics rather than signature matching. The Raptor Train botnet adds a third-party infrastructure layer that further distances actual attack traffic from identifiable Chinese IP space, providing global relay capacity that obscures the true origin of reconnaissance and exploitation activity. The Integrity Technology Group identification and subsequent US Treasury sanctions are significant: they establish a pattern of Chinese government use of nominally commercial cybersecurity contractors as operational fronts — a model documented separately with Volt Typhoon and other Typhoon-cluster actors. The chairman's public acknowledgment that his company collected intelligence for China's government, combined with the FBI Director's public attribution at the 2024 Aspen Cyber Summit, makes Flax Typhoon/Integrity Technology Group one of the most directly attributed Chinese contractor-to-government intrusion relationships in the public record. The disruption of Raptor Train in September 2024 is unlikely to permanently degrade the capability — the botnet was rebuilt and expanded multiple times over its four-year history and the underlying infrastructure components will almost certainly be reconstituted under new infrastructure.

Sources & Further Reading

— end of profile