{
	"id": "bdd43baa-070f-4608-af62-f51375156a92",
	"created_at": "2026-04-06T00:10:14.487545Z",
	"updated_at": "2026-04-10T13:11:51.803544Z",
	"deleted_at": null,
	"sha1_hash": "e9ff5391cb38a671dfff535da32fd10a37257170",
	"title": "Treasury Sanctions Technology Company for Support to Malicious Cyber Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41671,
	"plain_text": "Treasury Sanctions Technology Company for Support to Malicious\r\nCyber Group\r\nPublished: 2026-02-13 · Archived: 2026-04-05 17:58:08 UTC\r\nWASHINGTON – Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned\r\nIntegrity Technology Group, Incorporated (Integrity Tech), a Beijing-based cybersecurity company, for its role\r\nin multiple computer intrusion incidents against U.S. victims. These incidents have been publicly attributed to\r\nFlax Typhoon, a Chinese malicious state-sponsored cyber group that has been active since at least 2021, often\r\ntargeting organizations within U.S. critical infrastructure sectors. \r\nChinese malicious cyber actors continue to be one of the most active and most persistent threats to U.S. national\r\nsecurity, as highlighted in the most recent Office of the Director of National Intelligence Annual Threat\r\nAssessment. These actors continue to target U.S. government systems as part of their efforts, including the recent\r\ntargeting of Treasury’s own IT infrastructure.\r\n“The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their\r\nactions,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.\r\n“The United States will use all available tools to disrupt these threats as we continue working collaboratively to\r\nharden public and private sector cyber defenses.”\r\nOn September 18, 2024, the Federal Bureau of Investigation, in coordination with the Cyber National Mission\r\nForce, National Security Agency, and Five Eye partners, published a joint cybersecurity advisory, that highlights\r\nthe tactics, techniques, and procedures of Flax Typhoon, as well as Integrity Tech’s role in supporting its malicious\r\ncyber activities.\r\nFLAX TYPHOON: A STATE-SPONSORED MALICIOUS CYBER GROUP\r\nFlax Typhoon is a state-sponsored Chinese malicious cyber group that has been active since at least 2021,\r\ntargeting organizations within U.S. critical infrastructure sectors. Flax Typhoon has compromised computer\r\nnetworks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan. Flax Typhoon\r\nexploits publicly known vulnerabilities to gain initial access to victims’ computers and then leverages legitimate\r\nremote access software to maintain persistent control over their network. Flax Typhoon has targeted victims\r\nwithin a wide range of industries. \r\nBetween summer 2022 and fall 2023, Flax Typhoon actors accessed several hosts associated with U.S. and\r\nEuropean entities. The actors maliciously used virtual private network software and remote desktop protocols to\r\nfacilitate this access. In summer 2023, Flax Typhoon compromised multiple servers and workstations at a\r\nCalifornia-based entity. \r\nINTEGRITY TECH SUPPORT TO FLAX TYPHOON\r\nhttps://home.treasury.gov/news/press-releases/jy2769\r\nPage 1 of 2\n\nBetween summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their\r\ncomputer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent\r\nand received information from Integrity Tech infrastructure.\r\nOFAC is designating Integrity Tech pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for\r\nbeing responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities\r\noriginating from, or directed by persons located, in whole or in substantial part, outside the United States that are\r\nreasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign\r\npolicy, or economic health or financial stability of the United States and that have the purpose or effect of\r\nharming, or otherwise significantly compromising the provision of services by, a computer or network of\r\ncomputers that support one or more entities in a critical infrastructure sector. \r\nSANCTIONS IMPLICATIONS\r\nAs a result of today’s action, all property and interests in property of the designated entity described above that are\r\nin the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In\r\naddition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by\r\none or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC,\r\nor exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the\r\nUnited States that involve any property or interests in property of designated or otherwise blocked persons. \r\nIn addition, financial institutions and other persons that engage in certain transactions or activities with the\r\nsanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.\r\nThe prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the\r\nbenefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from\r\nany such person. \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The\r\nultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information\r\nconcerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s\r\nFrequently Asked Question 897 here. For detailed information on the process to submit a request for removal from\r\nan OFAC sanctions list, please click here.\r\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2769\r\nhttps://home.treasury.gov/news/press-releases/jy2769\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy2769"
	],
	"report_names": [
		"jy2769"
	],
	"threat_actors": [
		{
			"id": "09031838-56db-4676-a2b2-4bc50d8b7b0b",
			"created_at": "2024-01-23T13:22:35.078612Z",
			"updated_at": "2026-04-10T02:00:03.519282Z",
			"deleted_at": null,
			"main_name": "Flax Typhoon",
			"aliases": [
				"Ethereal Panda",
				"Storm-0919"
			],
			"source_name": "MISPGALAXY:Flax Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a",
			"created_at": "2023-09-07T02:02:47.367254Z",
			"updated_at": "2026-04-10T02:00:04.698935Z",
			"deleted_at": null,
			"main_name": "Flax Typhoon",
			"aliases": [
				"Ethereal Panda",
				"RedJuliett"
			],
			"source_name": "ETDA:Flax Typhoon",
			"tools": [
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"JuicyPotato",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Metasploit",
				"Mimikatz",
				"SinoChopper",
				"SoftEther VPN"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ea4726a4-3b7c-45db-a579-2abd4986941c",
			"created_at": "2025-11-01T02:04:53.002048Z",
			"updated_at": "2026-04-10T02:00:03.764362Z",
			"deleted_at": null,
			"main_name": "BRONZE FLAXEN",
			"aliases": [
				"Ethereal Panda ",
				"Flax Typhoon "
			],
			"source_name": "Secureworks:BRONZE FLAXEN",
			"tools": [
				"Bad Potato",
				"Juicy Potato",
				"Metasploit",
				"Mimikatz",
				"SoftEther VPN"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9ff5391cb38a671dfff535da32fd10a37257170.pdf",
		"text": "https://archive.orkl.eu/e9ff5391cb38a671dfff535da32fd10a37257170.txt",
		"img": "https://archive.orkl.eu/e9ff5391cb38a671dfff535da32fd10a37257170.jpg"
	}
}