Flax Typhoon is the name Microsoft Threat Intelligence assigned in August 2023 to a cyber-espionage actor it assessed with high confidence to be based in the People's Republic of China and operating on behalf of the Chinese state. The group has been active since at least mid-2021 and has primarily targeted government agencies, education, critical manufacturing, and information technology organizations in Taiwan, though Microsoft also observed victims in Southeast Asia, North America, and Africa.
Flax Typhoon is notable for its tradecraft rather than novel malware. Microsoft's August 2023 report described the group's heavy reliance on living-off-the-land techniques: abusing built-in Windows tools such as Windows Management Instrumentation (WMI), PowerShell, and the Windows Remote Management (WinRM) service to maintain persistence, while using legitimate remote-access utilities like SoftEther VPN to tunnel traffic. Initial access typically came through exploitation of known vulnerabilities in public-facing servers (VPN, web, Java, and SQL applications). The group deployed the China Chopper web shell and used Mimikatz for credential theft, but largely avoided custom implants, making detection harder.
In September 2024, the U.S. Department of Justice, FBI, and Cybersecurity and Infrastructure Security Agency (CISA) announced a court-authorized operation that disrupted a botnet of more than 200,000 compromised consumer devices — routers, IP cameras, NVRs, and other IoT hardware — that they attributed to Flax Typhoon. U.S. officials linked the botnet's operation to Integrity Technology Group, a Beijing-based company, and the Treasury Department's OFAC later sanctioned that firm in January 2025. FBI Director Christopher Wray described the takedown at the Aspen Cyber Summit.
For MUN and policy researchers, Flax Typhoon is frequently cited alongside Volt Typhoon as evidence of PRC-linked pre-positioning in critical infrastructure and is referenced in debates over IoT security standards, cross-border cyber norms, and Taiwan Strait tensions.
Example
In September 2024, the U.S. Justice Department announced it had disrupted a botnet of roughly 260,000 IoT devices operated by Flax Typhoon and linked to the Beijing-based Integrity Technology Group.
Frequently asked questions
Microsoft Threat Intelligence publicly identified and named the group in an August 24, 2023 report, under its weather-themed naming convention for nation-state actors (Typhoon = China-affiliated).
Keep learning