October 3, 2023

Security researchers from Microsoft discovered a China-based APT group focused on espionage has targeted organizations in Taiwan.

The group goes by the name Flax Typhoon, active since mid-2021 and is causing the significant concern around the potential for further impact to our customers. They perform espionage and maintain access to organizations across a broad range of industries for as long as possible.

The threat activities have been observed in North America, Southeast Asia, and Africa, but now  it is targeting organizations in Taiwan at present.


Microsoft’s decision to share its research on Flax Typhoon comes amid an increase in tensions between China and the West over Taiwan’s future, along with an apparent escalation of Chinese cyberespionage activities in the South China Sea.

Earlier this year, another new China-based APT group, Volt Typhoon, which appeared to be targeting critical infrastructure organizations in Guam – the location of the closest U.S. military base to Taiwan – and elsewhere in the United States.

Flax Typhoon uses minimal malware, primarily relying on living-off-the-land techniques, such as using tools built into the target’s operating system, and hands-on-keyboard activity to gain and maintain long-term access to Taiwanese victim networks.

Initial access

Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers. The services targeted vary, but include VPN, web, Java, and SQL applications. The payload in these exploits is a web shell, such as China Chopper, which allows for remote code execution on the compromised server.

Privilege escalation

In cases where the process compromised via web shell does not have local administrator privileges, Flax Typhoon downloads and runs a piece of malware that exploits one or more known vulnerabilities to obtain local system privileges. Microsoft has observed the actor use Juicy Potato, BadPotato, and other open-source tools to exploit these vulnerabilities.



Once Flax Typhoon can access Windows Management Instrumentation command-line (WMIC), PowerShell, or the Windows Terminal with local administrator privileges, the actor establishes a long-term method of accessing the compromised system using the remote desktop protocol (RDP). To accomplish this, the actor disables network-level authentication (NLA) for RDP, replaces the Sticky Keys binary, and establishes a VPN connection.

Command and control

To deploy the VPN connection, Flax Typhoon downloads an executable file for SoftEther VPN from their network infrastructure. The actor downloads the tool using one of several LOLBins, Flax Typhoon then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This could allow the actor to monitor the availability of the compromised system and establish an RDP connection.

Microsoft has observed Flax Typhoon routing network traffic to other targeted systems through the SoftEther VPN bridge installed on compromised systems. This network traffic includes network scanning, vulnerability scanning, and exploitation attempts.


Flax Typhoon also enumerates restore points used by System Restore. Restore points contain data about the Windows operating system that the system owner can use to revert changes to the system if it becomes inoperable, rather than a backup of user data. Flax Typhoon could use this information to better understand the compromised system or as a template for removing indicators of malicious activity.

Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.

Indicators of Compromise

  • 101.33.205[.]106
  • 39.98.208[.]61
  • 45.195.149[.]224
  • 122.10.89[.]230
  • 45.204.1[.]248
  • 45.204.1[.]247
  • 45.88.192[.]118
  • 154.19.187[.]92
  • 134.122.188[.]20
  • 104.238.149[.]146
  • 139.180.158[.]51
  • 192.253.235[.]107
  • 7992c0a816246b287d991c4ecf68f2d32e4bca18
  • 5437d0195c31bf7cedc9d90b8cb0074272bc55df
  • cc1f0cdc131dfafd43f60ff0e6a6089cd03e92f1
  • 2c95b971aa47dc4d94a3c52db74a3de11d9ba658

Leave a Reply

%d bloggers like this: