Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

Researchers believe that this time instead of cyber espionage, Chinese threat actors may have opted for more complex information ops.


  • Microsoft has identified a Chinese government-backed APT group called Flax Typhoon.
  • The group has been targeting Taiwanese organizations since mid-2021.
  • Flax Typhoon does not rely heavily on malware to maintain persistence on the targeted networks.
  • Instead, the group uses tools built into the operating system and some benign software.
  • The group’s goal is to conduct cyber espionage and maintain access to organizations across a broad range of industries.

Microsoft has not observed Flax Typhoon act on final objectives in this campaign, but the group’s activities could pose a threat to businesses outside Taiwan.

Microsoft Threat Intelligence Team has shared exclusive details of a newly detected Chinese government-backed Advanced Persistent Threat (APT) group Flax Typhoon’s activities. The group (aka Ethereal Panda) has been installing a network of long-term, persistent infections across Taiwanese organizations. 

It is worth noting that the group doesn’t rely too much on malware to retain persistence on the targeted networks but uses tools built into the operating system with some benign software for this purpose.

Moreover, researchers observed that the group uses the access to carry out many different activities apart from espionage, which means it is an information-gathering campaign active since mid-2021.

“Flax Typhoon’s discovery and credential access activities do not appear to enable further data-collection and exfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”


So far, dozens of organizations across a wide range of sectors/industries have been targeted in this campaign, indicating that this could be an extensive cyber espionage activity.

However, Microsoft believes its scope may not be limited to Taiwanese businesses in the near future. The group uses legit tools and utilities built into the Windows OS (e.g. LOLbins) for its stealthy operations, which it can reuse to target organizations outside Taiwan.  

Researchers revealed that companies may easily fall into the trap of Flax Typhoon because it uses commonplace techniques that may be overlooked by organizations. 

In its report, the tech giant noted that This APT group focuses on persistence, credential access, and lateral movement. Detecting and mitigating this threat is challenging because compromised accounts might be modified or closed, and infected systems will be isolated.

Companies/entities in the government, education, IT, and manufacturing sectors across Southeast Asia, Africa, and North America have been the targets of Flax Typhoon’s previous campaigns. 

The group prefers using the China Chopper web shell, Bad Potato and Juicy Potato privilege escalation tools, Metasploit, Mimikatz, SoftEther virtual private network (VPN) client and specializes in exploiting known vulnerabilities in publicly accessible servers and targets a range of services, including VPN, web, Java, and SQL applications.

After gaining initial access, the group uses command-line tools for establishing persistence and then deploys a VPN connection to the attacker’s C2 infrastructure. Lastly, it steals credentials and scans for further vulnerabilities using VPN access.

Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage
Flax Typhoon attack chain (Microsoft)

This isn’t the first time China has targeted Taiwan, which it considers a renegade province. The country has launched espionage and DDoS attacks against the country in the past. This time, China might want access to sensitive data as well as maintain access to organizations across the broadest range of industries.

Microsoft has notified targeted/impacted customers and is helping them secure their systems.

  1. Microsoft warns of Nobelium hackers using FoggyWeb backdoor
  2. New Phishing Attack Spoofs Microsoft 365 Authentication System
  3. Reply URL Flaw Allowed Unauthorized MS Power Platform API Access
Related Posts