analyst @ nohacky :~/threat-actors $
cat / threat-actors / linen-typhoon
analyst@nohacky:~/linen-typhoon.html
active threat profile
type nation-state
threat_level critical
status active
origin China
last_updated 2025-07-22
LT
linen-typhoon

Linen Typhoon

also known as: APT27 Emissary Panda Iron Tiger Lucky Mouse Bronze Union Budworm TG-3390 UNC215

Linen Typhoon is one of China's longest-running and most prolific state-sponsored espionage groups, conducting sustained intelligence collection against government, defense, and technology targets across Asia, Europe, and North America since at least 2010. In July 2025, Microsoft confirmed the group as one of three China-nexus actors actively exploiting the critical ToolShell SharePoint vulnerability chain to steal cryptographic keys and establish persistent footholds in targeted organizations.

attributed origin China (PRC)
suspected sponsor Ministry of State Security (MSS) / Ministry of Public Security (MPS)
first observed ~2010
primary motivation Strategic espionage / intelligence collection
primary targets Government, Defense, Technology, Telecoms, Critical Infrastructure
known campaigns 10+ documented
mitre att&ck group G0027
target regions Asia-Pacific, Europe, North America, Middle East
threat level CRITICAL

Overview

Linen Typhoon — tracked by the broader intelligence community as APT27, Emissary Panda, Iron Tiger, Lucky Mouse, and Bronze Union — is one of the longest-running and most extensively documented Chinese state-sponsored espionage groups in existence. Activity attributed to this cluster dates to at least 2010, making it a fixture of the China-nexus threat landscape across three distinct US administrations, multiple geopolitical cycles, and at least a decade of evolving defensive tooling.

The group operates in direct service of Chinese strategic intelligence priorities, with a targeting philosophy oriented around political intelligence, defense modernization data, and economic information of value to Chinese state interests. Unlike some Chinese APT clusters, Linen Typhoon is notable for operating with considerable operational patience — intrusions are sustained for months or years before data is exfiltrated — and for maintaining a consistently updated toolkit that allows operators to evade detection even as individual tools are publicly burned.

In March 2025, the US Department of Justice unsealed charges against 12 Chinese nationals with ties to APT27 and the i-Soon hacking contractor ecosystem, including Yin Kecheng and Zhou Shuai. The indictment documented intrusions spanning August 2013 through at least December 2024 — including involvement in the compromise of the US Department of the Treasury. Both individuals remain at large in China, with the State Department offering rewards of up to $2 million each for information leading to their arrest.

In July 2025, Microsoft confirmed Linen Typhoon as one of three China-nexus actors actively exploiting the ToolShell SharePoint vulnerability chain (CVE-2025-53770 / CVE-2025-53771) against internet-facing servers, with exploitation traced to as early as July 7, 2025 — prior to public disclosure. The group's activity focused on stealing MachineKey material, a cryptographic secret that can be used to forge authentication tokens and maintain persistent access to victim environments even after patching.

Target Profile

Linen Typhoon's targeting is strategic and geopolitically motivated, consistently aligned with China's foreign policy and military modernization priorities. The group has demonstrated sustained interest in the following sectors.

  • Government and Diplomatic Entities: Foreign ministries, embassies, and government agencies — particularly in countries with strategic relevance to China — are a persistent primary target. The group has been linked to intrusions across Asia, Europe, and the Middle East targeting political intelligence.
  • Defense and Aerospace: Defense contractors, aerospace firms, and military-affiliated research institutions are targeted for acquisition of technology that supports China's military modernization agenda.
  • Technology and Telecommunications: Technology companies and telecommunications operators are targeted both for intellectual property and for the network access they provide to downstream targets. A 2023 Budworm intrusion targeted a Middle Eastern telecom organization.
  • Critical Infrastructure: Energy, manufacturing, and industrial sectors are part of the group's recurring target set, consistent with China's broader pre-positioning doctrine for critical infrastructure access.
  • Human Rights and NGO Organizations: The group is documented targeting human rights organizations and NGOs, consistent with the Chinese government's broader interest in monitoring and disrupting civil society activities perceived as threatening.
  • Think Tanks and Academia: Policy research institutions and universities are targeted for political intelligence and for access to sensitive research.

Tactics, Techniques & Procedures

Linen Typhoon employs a balanced toolkit combining reliable custom malware families with commodity tools and living-off-the-land techniques. The group's TTPs are well-documented across more than a decade of incident response investigations.

mitre id technique description
T1190 Exploit Public-Facing Application Exploitation of internet-facing services is a primary initial access vector. Documented targets include Microsoft SharePoint (CVE-2019-0604, CVE-2025-53770), Microsoft Exchange (ProxyLogon), Zoho ManageEngine (CVE-2021-40539), and Ivanti appliances.
T1566 Spearphishing Targeted spearphishing emails using diplomatic, military, or politically themed lures to deliver malicious attachments or links. A documented method for initial access alongside vulnerability exploitation.
T1574.002 DLL Side-Loading A signature technique — legitimate signed binaries (INISafeWebSSO, CyberArk Viewfinity, GDFInstall.exe) are abused to sideload malicious DLLs that decrypt and load HyperBro, SysUpdate, or other payloads in memory.
T1505.003 Web Shell Deployment of web shells — including China Chopper, TwoFace, OwaAuth, and ASPXSpy — on compromised servers for persistent access and command execution. OwaAuth specifically targets Exchange OWA to harvest submitted credentials.
T1003 OS Credential Dumping Credential harvesting from LSASS memory, Windows registry hives, and browser caches using Mimikatz, Windows Credential Editor (WCE), gsecdump, LaZagne, and SecretsDump. Also observed using custom PasswordDumper utilities.
T1021 Lateral Movement Lateral movement via PsExec, WMI (via Impacket), and SMB. In some intrusions, the group scanned for EternalBlue-vulnerable hosts to extend access across segmented environments.
T1090 Proxy / Tunneling Use of reverse proxy and tunneling tools including Chisel (renamed to blend with legitimate processes, e.g. veeamGues.exe), IOX, Fast Reverse Proxy, and SOCKS5 tunneling over SSH-encapsulated HTTP to route traffic out of target environments.
T1070 Indicator Removal Disabling of Windows event logging to reduce forensic visibility. In ransomware-adjacent operations, shadow copy deletion and log clearing observed prior to payload deployment.

Known Campaigns

Confirmed or highly attributed operations linked to Linen Typhoon across its operational history.

ToolShell SharePoint Exploitation 2025

Beginning as early as July 7, 2025 — prior to public disclosure — Linen Typhoon exploited the ToolShell vulnerability chain (CVE-2025-53770 / CVE-2025-53771) against internet-facing SharePoint servers. Activity focused on stealing MachineKey cryptographic material to maintain persistent access even after patching. Microsoft confirmed attribution on July 22, 2025. Government, technology, and defense organizations across North America, Europe, and APAC were among those targeted.

Read full briefing
Treasury & i-Soon Intrusion Network 2013–2024

DOJ indictment unsealed in March 2025 documented APT27-linked operators Yin Kecheng and Zhou Shuai conducting intrusions across US government agencies, companies, and municipalities for over a decade. Activity included the December 2024 compromise of the US Department of the Treasury via a third-party software vendor. Stolen data was brokered through i-Soon, a contractor whose primary customers included the Ministry of State Security and Ministry of Public Security.

Budworm / Middle East & Asia Telecom Targeting 2023

In August 2023, the group targeted a Middle Eastern telecommunications organization and an Asian government entity. A previously undocumented variant of the SysUpdate backdoor (inicore_v2.3.30.dll) was deployed via DLL sideloading using the legitimate INISafeWebSSO application. Activity was consistent with early-stage credential harvesting prior to broader collection operations.

European Defense & Technology Intrusions 2022–2024

Germany's domestic intelligence service (BfV) issued a public warning in July 2024 that APT27 was actively targeting European entities using updated RSHELL malware variants. Prior intrusions documented by incident responders involved exploitation of ProxyLogon (Exchange), OGNL injection in Confluence, and Log4Shell as entry points, followed by months-long undetected dwell time and HyperBro-based persistence.

Taiwan Operations 2022

During US House Speaker Nancy Pelosi's visit to Taiwan in August 2022, APT27-associated actors conducted DDoS operations temporarily disrupting Taiwanese government websites, alongside defacements at convenience stores and train stations. The activity was unusual for the group — which prioritizes covert access over visible disruption — and may reflect tasking under direct state direction.

Tools & Malware

Linen Typhoon maintains a multi-layered toolkit combining custom implants developed in-house, tools shared across Chinese APT clusters, and commodity open-source utilities.

  • HyperBro: A custom in-memory remote access trojan (RAT) that has been a signature tool of the group since at least 2017. Delivered via DLL sideloading, HyperBro provides remote command execution, file operations, screenshot capture, clipboard theft, service manipulation, and registry editing. C2 communication uses HTTPS POST requests to /api/v2/ajax on port 443.
  • SysUpdate: A modular custom backdoor regularly updated across the group's operational lifetime. Recent variants (including inicore_v2.3.30.dll observed in 2023) are delivered via DLL sideloading. SysUpdate supports plugin-based extensibility for tailored post-exploitation capability.
  • PlugX (Korplug): A shared remote access tool used across many Chinese APT clusters. Linen Typhoon deploys it for persistent remote control, lateral movement, and intelligence gathering. Often deployed alongside HyperBro as a redundant access mechanism.
  • China Chopper / OwaAuth / TwoFace: Web shells deployed on compromised servers for persistent command execution. OwaAuth is specifically designed for Exchange OWA deployments and logs credentials submitted at the login page.
  • Chisel: An open-source Go-based reverse proxy tool used to tunnel TCP/UDP over SSH-encapsulated HTTP. Observed renamed to blend with legitimate processes (e.g. veeamGues.exe).
  • Mimikatz / WCE / gsecdump / LaZagne: Commodity credential harvesting tools used for dumping LSASS memory, registry hives, and browser-stored credentials during post-compromise operations.
  • AdFind / Fscan / masscan: Discovery and network scanning tools used for internal reconnaissance, Active Directory enumeration, and lateral movement target identification.
  • Cobalt Strike: Commercial post-exploitation framework observed in select Linen Typhoon intrusions as a commodity C2 capability alongside custom implants.

Indicators of Compromise

Select publicly disclosed IOCs from documented campaigns. Currency is not guaranteed — validate against live intel feeds before operational use.

warning

IOCs may be stale or burned after public disclosure. Cross-reference with live threat intel feeds before blocking.

indicators of compromise
domain update.updatemicfosoft[.]com (ToolShell C2 — shared infrastructure, also linked to Storm-2603)
file spinstall0.aspx (ToolShell web shell — deployed to SharePoint LAYOUTS directory)
file inicore_v2.3.30.dll (SysUpdate backdoor variant — 2023 Budworm campaigns)
user-agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (HyperBro C2 beacon)
c2 uri /api/v2/ajax (HyperBro C2 — POST on port 443)

Mitigation & Defense

Organizations in Linen Typhoon's target profile — government, defense, technology, and critical infrastructure — should treat this group as a persistent, adaptive adversary capable of maintaining long-term undetected access.

  • Patch Internet-Facing Systems Immediately: The group consistently exploits known vulnerabilities in exposed services — SharePoint, Exchange, VPN appliances, and enterprise software — often within days of disclosure. Prioritize rapid patching of all internet-facing assets and apply Microsoft's ToolShell remediation guidance including ASP.NET machine key rotation.
  • Rotate SharePoint Machine Keys: For any organization that ran unpatched SharePoint servers during the ToolShell exposure window (July 2025), machine keys must be rotated even after patching. Stolen MachineKey material can be used to forge authentication tokens and maintain access independently of the original vulnerability.
  • Monitor for DLL Sideloading: Deploy endpoint detection for DLL sideloading patterns — particularly abuse of trusted binaries loading unexpected DLLs from non-standard paths. Linen Typhoon consistently uses this technique to load HyperBro and SysUpdate.
  • Web Shell Detection: Monitor SharePoint LAYOUTS directories and Exchange OWA paths for unexpected ASPX files. Alert on unexpected POST activity to /api/v2/ajax or ToolPane endpoints from external IPs.
  • Credential Hygiene and MFA: Enforce multi-factor authentication across all remote access and privileged accounts. The group extensively harvests credentials for lateral movement — reducing the value of stolen credentials limits post-compromise reach.
  • Network Segmentation and Egress Control: Restrict outbound connectivity from servers to known-good destinations. The group uses tunneling tools (Chisel, IOX) to route data through unusual protocols — anomalous SSH-over-HTTP or DNS-based egress should trigger alerts.
  • Threat Intelligence Integration: Subscribe to live threat intel feeds tracking APT27 IOCs. Many of this group's tools (HyperBro C2 patterns, SysUpdate signatures) have well-documented detection signatures across major EDR and SIEM platforms.
analyst note

Linen Typhoon demonstrates exceptional operational patience. Documented intrusion dwell times range from months to years before active exfiltration begins. Organizations that detect and remediate initial access should assume the possibility of redundant backdoors and conduct thorough forensic review — not just patch and move on. The DOJ indictment also confirmed that stolen data was brokered for sale beyond direct MSS/MPS customers, meaning Linen Typhoon intrusions may have secondary beneficiaries beyond the primary intelligence mission.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile