Microsoft identifies Flax Typhoon as a China-based state actor targeting Taiwanese organizations for espionage, emphasizing long-term access with minimal malware and reliance on built-in OS tools and legitimate software. The activity aims to quietly persist in networks, with Microsoft highlighting techniques to raise defenses and awareness across the security community. #FlaxTyphoon #ChinaChopper #SoftEther #Mimikatz #JuicyPotato #Taiwan
Keypoints
- Flax Typhoon is a China-based threat actor focused on espionage against Taiwanese organizations and some targets in Southeast Asia, North America, and Africa.
- Initial access is achieved by exploiting known vulnerabilities on public-facing servers and deploying web shells such as China Chopper.
- Privilege escalation frequently uses Juicy Potato, BadPotato, and other open-source tools to gain local administrator privileges.
- Persistence relies on RDP with NLA disabled, Sticky Keys abuse, registry changes, and a VPN bridge to actor-controlled infrastructure.
- Command and control is established via a SoftEther VPN bridge, often launched through LOLBins and renamed to blend with legitimate processes.
- Credential access centers on Mimikatz dumping LSASS and SAM stores, with discovery of restore points to understand the system and remove indicators.
- Microsoft provides mitigation guidance focused on patching public-facing services, MFA, LSASS hardening, EDR, and monitoring for LOLBin usage and registry changes.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers. “The services targeted vary, but include VPN, web, Java, and SQL applications.”
- [T1505.003] Web Shell – The payload in these exploits is a web shell, such as China Chopper, which allows for remote code execution on the compromised server. “The payload in these exploits is a web shell, such as China Chopper.”
- [T1068] Privilege Escalation – The actor uses Juicy Potato, BadPotato, and other open-source tools to exploit these vulnerabilities. “the actor use Juicy Potato, BadPotato, and other open-source tools to exploit these vulnerabilities.”
- [T1112] Modify Registry – The actor changes a registry key that specifies the location of sethc.exe and disables NLA. “changes a registry key that specifies the location of sethc.exe.”
- [T1036] Masquerading – The actor renames the executable file from vpnbridge.exe to conhost.exe or dllhost.exe. “renames the executable file from vpnbridge.exe to conhost.exe or dllhost.exe.”
- [T1021.006] Windows Remote Management – Lateral movement using WinRM and WMIC to access other systems on the compromised network. “Some organizations may use WinRM and WMIC.”
- [T1003] Credential Dumping – Mimikatz dumps LSASS memory and SAM registry hive to obtain credentials. “Mimikatz, a publicly available malware that can automatically dump these stores…”
- [T1082] System Information Discovery – Enumerates restore points used by System Restore to understand the system and remove indicators of activity. “Enumerates restore points used by System Restore.”
Indicators of Compromise
- [IP Address] Flax Typhoon network infrastructure – 101.33.205.106, 39.98.208.61, and 11 more IPs
- [Domain] VPN/SoftEther-related domains – vpn437972693.sednc.cn, asljkdqhkhasdq.softether.net, and 2 more domains
- [TLS fingerprint] TLS certificates used by VPN servers – 7992c0a816246b287d991c4ecf68f2d32e4bca18, 5437d0195c31bf7cedc9d90b8cb0074272bc55df, and 2 more fingerprints
- [File] VPN-related binaries and names used for persistence – vpnbridge.exe, conhost.exe, and 2 more files (e.g., dllhost.exe)