{ "id": "9a47a76c-d311-4c82-b6f7-ed0d07a5908e", "created_at": "2026-04-06T00:15:17.307617Z", "updated_at": "2026-04-10T03:34:27.915971Z", "deleted_at": null, "sha1_hash": "afe5f7586724e910d78e496524789a9a9bd47398", "title": "Flax Typhoon - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56936, "plain_text": "Flax Typhoon - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:38:26 UTC\r\n APT group: Flax Typhoon\r\nNames\r\nFlax Typhoon (Microsoft)\r\nEthereal Panda (CrowdStrike)\r\nRedJuliett (Recorded Future)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2021\r\nDescription\r\n(Microsoft) Flax Typhoon has been active since mid-2021 and has targeted\r\ngovernment agencies and education, critical manufacturing, and information\r\ntechnology organizations in Taiwan. Some victims have also been observed\r\nelsewhere in Southeast Asia, as well as in North America and Africa. Flax Typhoon\r\nfocuses on persistence, lateral movement, and credential access. As with any\r\nobserved nation-state actor activity, Microsoft has directly notified targeted or\r\ncompromised customers, providing them with important information needed to\r\nsecure their environments.\r\nFlax Typhoon is known to use the China Chopper web shell, Metasploit, Juicy\r\nPotato privilege escalation tool, Mimikatz, and SoftEther virtual private network\r\n(VPN) client. However, Flax Typhoon primarily relies on living-off-the-land\r\ntechniques and hands-on-keyboard activity. Flax Typhoon achieves initial access by\r\nexploiting known vulnerabilities in public-facing servers and deploying web shells\r\nlike China Chopper. Following initial access, Flax Typhoon uses command-line tools\r\nto first establish persistent access over the remote desktop protocol, then deploy a\r\nVPN connection to actor-controlled network infrastructure, and finally collect\r\ncredentials from compromised systems. Flax Typhoon further uses this VPN access\r\nto scan for vulnerabilities on targeted systems and organizations from the\r\ncompromised systems.\r\nObserved\r\nSectors: Education, Government, IT, Manufacturing.\r\nCountries: Djibouti, Hong Kong, Kenya, Laos, Malaysia, Philippines, Rwanda,\r\nSouth Korea, Taiwan, USA.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=653faab6-7686-4258-82ce-691c8c539a8b\r\nPage 1 of 2\n\nTools used\nChina Chopper, BadPotato, JuicyPotato, Metasploit, Mimikatz, SoftEther VPN,\nLiving off the Land.\nOperations performed\nMid 2023\nDerailing the Raptor Train\nNov 2023\nChinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber\nEspionage via Network Perimeter Exploitation\nInformation\nLast change to this card: 22 February 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=653faab6-7686-4258-82ce-691c8c539a8b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=653faab6-7686-4258-82ce-691c8c539a8b\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=653faab6-7686-4258-82ce-691c8c539a8b" ], "report_names": [ "showcard.cgi?u=653faab6-7686-4258-82ce-691c8c539a8b" ], "threat_actors": [ { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "fc3a00d5-40df-4a7b-a2da-a24004fb0cac", "created_at": "2024-06-25T02:00:05.042784Z", "updated_at": "2026-04-10T02:00:03.660396Z", "deleted_at": null, "main_name": "RedJuliett", "aliases": [], "source_name": "MISPGALAXY:RedJuliett", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434517, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afe5f7586724e910d78e496524789a9a9bd47398.pdf", "text": "https://archive.orkl.eu/afe5f7586724e910d78e496524789a9a9bd47398.txt", "img": "https://archive.orkl.eu/afe5f7586724e910d78e496524789a9a9bd47398.jpg" } }