{ "id": "2561077f-c760-43ac-8320-91f0b1df44c7", "created_at": "2026-04-06T00:21:23.357969Z", "updated_at": "2026-04-10T13:11:21.554094Z", "deleted_at": null, "sha1_hash": "f4bbeb07fbee225d3e8281e9cf41f592cf708def", "title": "Flax Typhoon using legitimate software to quietly access Taiwanese organizations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 579120, "plain_text": "Flax Typhoon using legitimate software to quietly access Taiwanese\r\norganizations | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-08-24 · Archived: 2026-04-05 16:35:28 UTC\r\nSummary\r\nMicrosoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting\r\ndozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and\r\nmaintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools\r\nbuilt into the operating system, along with some normally benign software to quietly remain in these networks.\r\nMicrosoft has not observed Flax Typhoon using this access to conduct additional actions. This blog aims to raise\r\nawareness of the techniques used by this threat actor and inform better defenses to protect against future attacks.\r\nMicrosoft has observed a distinctive pattern of malicious activity almost exclusively affecting organizations in\r\nTaiwan using techniques that could be easily reused in other operations outside the region and would benefit from\r\nbroader industry visibility. Microsoft attributes this campaign to Flax Typhoon (overlaps with ETHEREAL\r\nPANDA), a nation-state actor based out of China. Flax Typhoon’s observed behavior suggests that the threat actor\r\nintends to perform espionage and maintain access to organizations across a broad range of industries for as long as\r\npossible. However, Microsoft has not observed Flax Typhoon act on final objectives in this campaign. Microsoft is\r\nchoosing to highlight this Flax Typhoon activity at this time because of our significant concern around the\r\npotential for further impact to our customers. Although our visibility into these threats has given us the ability to\r\ndeploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to\r\ndrive broader community awareness to further investigations and protections across the security ecosystem.\r\nIn this blog post, we share information on Flax Typhoon, the current campaign targeting Taiwan, and the actor’s\r\ntactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid\r\naccounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging.\r\nCompromised accounts must be closed or changed. Compromised systems must be isolated and investigated. At\r\nthe end of this blog post, we share more mitigation steps and best practices, as well as provide details on how\r\nMicrosoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy\r\nattacks.\r\nWho is Flax Typhoon?\r\nFlax Typhoon has been active since mid-2021 and has targeted government agencies and education, critical\r\nmanufacturing, and information technology organizations in Taiwan. Some victims have also been observed\r\nelsewhere in Southeast Asia, as well as in North America and Africa. Flax Typhoon focuses on persistence, lateral\r\nmovement, and credential access. As with any observed nation-state actor activity, Microsoft has directly notified\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 1 of 11\n\ntargeted or compromised customers, providing them with important information needed to secure their\r\nenvironments.\r\nFlax Typhoon is known to use the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool,\r\nMimikatz, and SoftEther virtual private network (VPN) client. However, Flax Typhoon primarily relies on living-off-the-land techniques and hands-on-keyboard activity. Flax Typhoon achieves initial access by exploiting known\r\nvulnerabilities in public-facing servers and deploying web shells like China Chopper. Following initial access,\r\nFlax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then\r\ndeploy a VPN connection to actor-controlled network infrastructure, and finally collect credentials from\r\ncompromised systems. Flax Typhoon further uses this VPN access to scan for vulnerabilities on targeted systems\r\nand organizations from the compromised systems.\r\nFigure 1. Flax Typhoon attack chain\r\nAnalysis of current campaign\r\nInitial access\r\nFlax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers. The services\r\ntargeted vary, but include VPN, web, Java, and SQL applications. The payload in these exploits is a web shell,\r\nsuch as China Chopper, which allows for remote code execution on the compromised server.\r\nPrivilege escalation\r\nIn cases where the process compromised via web shell does not have local administrator privileges, Flax Typhoon\r\ndownloads and runs a piece of malware that exploits one or more known vulnerabilities to obtain local system\r\nprivileges. Microsoft has observed the actor use Juicy Potato, BadPotato, and other open-source tools to exploit\r\nthese vulnerabilities.\r\nPersistence\r\nOnce Flax Typhoon can access Windows Management Instrumentation command-line (WMIC), PowerShell, or\r\nthe Windows Terminal with local administrator privileges, the actor establishes a long-term method of accessing\r\nthe compromised system using the remote desktop protocol (RDP). To accomplish this, the actor disables\r\nnetwork-level authentication (NLA) for RDP, replaces the Sticky Keys binary, and establishes a VPN connection.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 2 of 11\n\nWhen using RDP, NLA requires the connecting user to authenticate to the remote system before a full remote\r\nsession is established and the Windows sign-in screen is displayed. When NLA is disabled, any user attempting to\r\naccess the remote system can interact with the Windows sign-in screen before authenticating, which can expose\r\nthe remote system to malicious actions by the connecting user. Flax Typhoon changes a registry key to disable\r\nNLA, allowing them to access the Windows sign-in screen without authenticating, whereupon the actor will use\r\nthe Sticky Keys shortcut.\r\nFigure 2. Flax Typhoon command disabling NLA\r\nSticky Keys is an accessibility feature in Windows that allows users to press modifier keys (such as Shift, Ctrl,\r\nAlt) one at a time instead of simultaneously. It includes a shortcut where the user can press the Shift key five times\r\nin succession to launch sethc.exe, the program that manages Sticky Keys. The user can invoke this shortcut at any\r\ntime, including at the sign-in screen. To take advantage of this feature, Flax Typhoon changes a registry key that\r\nspecifies the location of sethc.exe. The actor adds arguments that cause the Windows Task Manager to be launched\r\nas a debugger for sethc.exe. As a result, when the actor uses the Sticky Keys shortcut on the Windows sign-in\r\nscreen, Task Manager launches with local system privileges.\r\nFigure 3. Flax Typhoon command altering Sticky Keys behavior\r\nAt this stage, Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges. From there, the actor can launch the Terminal,\r\ncreate memory dumps, and take nearly any other action on the compromised system. The only issue the actor\r\nfaces with this persistence method is that RDP is most likely running on an internal-facing network interface. Flax\r\nTyphoon’s solution is to install a legitimate VPN bridge to automatically connect to actor-controlled network\r\ninfrastructure.\r\nCommand and control\r\nTo deploy the VPN connection, Flax Typhoon downloads an executable file for SoftEther VPN from their network\r\ninfrastructure. The actor downloads the tool using one of several LOLBins, such as the PowerShell Invoke-WebRequest utility, certutil, or bitsadmin. Flax Typhoon then uses the Service Control Manager (SCM) to create a\r\nWindows service that launches the VPN connection automatically when the system starts. This could allow the\r\nactor to monitor the availability of the compromised system and establish an RDP connection.\r\nFigure 4. Flax Typhoon command downloading a SoftEther VPN executable\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 3 of 11\n\nFigure 5. Flax Typhoon command creating a service to launch the VPN connection\r\nFlax Typhoon takes several precautions with their VPN connection to make it harder to identify. First, the actor\r\nuses a legitimate VPN application that could be found in enterprise environments. As a result, the file itself is\r\nalmost certain to go undetected by antivirus products. Second, the actor almost always renames the executable file\r\nfrom vpnbridge.exe to conhost.exe or dllhost.exe. These names imitate the legitimate Windows components\r\nConsole Window Host Process and Component Object Model Surrogate respectively. Third, the actor uses\r\nSoftEther’s VPN-over-HTTPS operation mode, which uses protocol tunneling to encapsulate Ethernet packets into\r\ncompliant HTTPS packets and transmit them to TCP port 443. This makes the VPN connection very difficult to\r\ndifferentiate from legitimate HTTPS traffic, which most network security appliances would not block.\r\nIn cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, the\r\nactor uses LOLBins, including Windows Remote Management (WinRM) and WMIC.\r\nMicrosoft has observed Flax Typhoon routing network traffic to other targeted systems through the SoftEther VPN\r\nbridge installed on compromised systems. This network traffic includes network scanning, vulnerability scanning,\r\nand exploitation attempts.\r\nCredential access\r\nOnce Flax Typhoon becomes established on the target system, Microsoft observes the actor conducting credential\r\naccess activities using common tools and techniques. Most commonly, Flax Typhoon targets the Local Security\r\nAuthority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive.\r\nBoth stores contain hashed passwords for users signed into the local system. Flax Typhoon frequently deploys\r\nMimikatz, a publicly available malware that can automatically dump these stores when improperly secured. The\r\nresulting password hashes can be cracked offline or used in pass-the-hash (PtH) attacks to access other resources\r\non the compromised network.\r\nFlax Typhoon also enumerates restore points used by System Restore. Restore points contain data about the\r\nWindows operating system that the system owner can use to revert changes to the system if it becomes inoperable,\r\nrather than a backup of user data. Flax Typhoon could use this information to better understand the compromised\r\nsystem or as a template for removing indicators of malicious activity.\r\nThis pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence. Flax\r\nTyphoon’s discovery and credential access activities do not appear to enable further data-collection and\r\nexfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage\r\nand maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this\r\ncampaign.\r\nMitigation and protection guidance\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 4 of 11\n\nDefending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly\r\non systems and services exposed to the public internet. The credential access techniques used can also be\r\nmitigated with proper system hardening.\r\nWhat to do now if you’re affected\r\nAffected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools\r\nand C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious\r\npurposes.\r\nInvestigating Suspected compromised accounts or affected systems\r\nFind LSASS and SAM dumping to identify affected accounts.\r\nExamine the activity of compromised accounts for any malicious actions or exposed data.\r\nClose or change credentials for all compromised accounts. Depending on the level of activity, many\r\naccounts may be affected.\r\nAffected systems should be isolated and forensically examined for artifacts of malicious activity.\r\nBecause Flax Typhoon alters the configuration of the operating system to produce malicious behavior,\r\naffected systems may need to be decommissioned or restored to a known-good configuration.\r\nDefending against Flax Typhoon attacks\r\nKeep public-facing servers up to date to defend against malicious activity. As prime targets for threat\r\nactors, public-facing servers need additional monitoring and security. User input validation, file integrity\r\nmonitoring, behavioral monitoring, and web application firewalls can all help to better secure these servers.\r\nMonitor the Windows registry for unauthorized changes. The Audit Registry feature allows administrators\r\nto generate events when specific registry keys are modified. Such policies can detect registry changes that\r\nundermine the security of a system, like those made by Flax Typhoon.\r\nUse network monitoring and intrusion detection systems to identify unusual or unauthorized network\r\ntraffic. If an organization does not use RDP for a specific business purpose, any RDP traffic should be\r\nconsidered unauthorized and generate alerts.\r\nEnsure that Windows systems are kept updated with the latest security patches, including MS16-075.\r\nMitigate the risk of compromised valid accounts by enforcing strong multifactor authentication (MFA)\r\npolicies using hardware security keys or Microsoft Authenticator. Passwordless sign-in methods (for\r\nexample, Windows Hello, FIDO2 security keys, or Microsoft Authenticator), password expiration rules,\r\nand deactivating unused accounts can also help mitigate risk from this access method.\r\nRandomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS)\r\nto prevent lateral movement using local accounts with shared passwords.\r\nReduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to\r\nblock or audit some observed activity associated with this threat:\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe).\r\nBlock process creations originating from PSExec and WMI commands. Some organizations may\r\nexperience compatibility issues with this rule on certain server systems but should deploy it to other\r\nsystems to prevent lateral movement originating from PsExec and WMI.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 5 of 11\n\nHarden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11\r\ndevices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In\r\naddition, enable Windows Defender Credential Guard, which is also turned on by default for organizations\r\nusing the Enterprise edition of Windows 11, as well as Memory integrity (also referred to as hypervisor-protected code integrity or HVCI) for stronger protections on Windows.\r\nSet the WDigest UseLogonCredential registry value via Group Policy Object to reduce the risk of\r\nsuccessful LSASS process memory dumping.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker\r\ntools, techniques, and behaviors such as those exhibited by Flax Typhoon.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-compromise.\r\nDetection details and hunting queries\r\nMicrosoft 365 Defender detections\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nHackTool:Win32/Mimikatz\r\nTrojan:Win32/Swrort\r\nHackTool:Win32/Badcastle\r\nBehavior:Win32/CobaltStrike\r\nBackdoor:ASP/Chopper\r\nMicrosoft Defender for Endpoint\r\nThe following alerts might indicate threat activity related to this threat. Note, however, that these alerts can also be\r\ntriggered by unrelated threat activity.\r\nMalicious credential theft tool execution detected\r\nSuspicious access to LSASS service\r\nUse of LOLBin to run malicious code\r\nSystem file masquerade\r\nHunting queries\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following queries to find related activity in their networks:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 6 of 11\n\nNetwork activity with Flax Typhoon network infrastructure\r\nlet ipAddressTimes = datatable(ip: string, startDate: datetime, endDate: datetime)\r\n[\r\n\"101.33.205.106\", datetime(\"2022-11-07\"), datetime(\"2022-11-08\"),\r\n\"39.98.208.61\", datetime(\"2023-07-28\"), datetime(\"2023-08-12\"),\r\n\"45.195.149.224\", datetime(\"2023-01-04\"), datetime(\"2023-03-29\"),\r\n\"122.10.89.230\", datetime(\"2023-01-12\"), datetime(\"2023-01-13\"),\r\n\"45.204.1.248\", datetime(\"2023-02-23\"), datetime(\"2023-05-09\"),\r\n\"45.204.1.247\", datetime(\"2023-07-24\"), datetime(\"2023-08-10\"),\r\n\"45.88.192.118\", datetime(\"2022-11-07\"), datetime(\"2022-11-08\"),\r\n\"154.19.187.92\", datetime(\"2022-12-01\"), datetime(\"2022-12-02\"),\r\n\"134.122.188.20\", datetime(\"2023-06-13\"), datetime(\"2023-06-20\"),\r\n\"104.238.149.146\", datetime(\"2023-07-13\"), datetime(\"2023-07-14\"),\r\n\"139.180.158.51\", datetime(\"2022-08-30\"), datetime(\"2023-07-27\"),\r\n\"137.220.36.87\", datetime(\"2023-02-23\"), datetime(\"2023-08-04\"),\r\n\"192.253.235.107\", datetime(\"2023-06-06\"), datetime(\"2023-06-07\")\r\n];\r\nlet RemoteIPFiltered = DeviceNetworkEvents\r\n| join kind=inner (ipAddressTimes) on $left.RemoteIP == $right.ip\r\n| where Timestamp between (startDate .. endDate);\r\nlet LocalIPFiltered = DeviceNetworkEvents\r\n| join kind=inner (ipAddressTimes) on $left.LocalIP == $right.ip\r\n| where Timestamp between (startDate .. endDate);\r\nunion RemoteIPFiltered, LocalIPFiltered\r\nSoftEther VPN bridge launched by SQL Server process\r\nDeviceProcessEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 7 of 11\n\n| where ProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or ProcessVersionInfoFileDescription ==\r\n\"SoftEther VPN\"\r\n| where InitiatingProcessParentFileName == \"sqlservr.exe\"\r\nSoftEther VPN bridge renamed to “conhost.exe” or “dllhost.exe”\r\nDeviceProcessEvents\r\n| where ProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or ProcessVersionInfoFileDescription ==\r\n\"SoftEther VPN\"\r\n| where ProcessCommandLine has_any (\"conhost.exe\", \"dllhost.exe\") or FolderPath has_any (\"mssql\",\r\n\"conhost.exe\", \"dllhost.exe\")\r\nCertutil launched by SQL Server process\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"certutil\", \"-urlcache\")\r\n| where InitiatingProcessFileName has_any (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\",\r\n\"launchpad.exe\", \"sqldumper.exe\")\r\nFile downloaded by MSSQLSERVER account using certutil\r\nDeviceFileEvents\r\n| where InitiatingProcessAccountName == \"MSSQLSERVER\"\r\n| where InitiatingProcessFileName == \"certutil.exe\"\r\nFile renamed to “conhost.exe” or “dllhost.exe”, downloaded using certutil\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName == \"certutil.exe\"\r\n| where FileName in (\"conhost.exe\", \"dllhost.exe\")\r\nNetwork connection made by SoftEther VPN bridge renamed to “conhost.exe” or “dllhost.exe”\r\nDeviceNetworkEvents\r\n| where InitiatingProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or\r\nInitiatingProcessVersionInfoProductName == \"SoftEther VPN\"\r\n| where InitiatingProcessFileName == \"conhost.exe\"\r\nNetwork connection made by MSSQLSERVER account, using SoftEther VPN bridge\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 8 of 11\n\nDeviceNetworkEvents\r\n| where InitiatingProcessVersionInfoOriginalFileName == \"vpnbridge.exe\" or\r\nInitiatingProcessVersionInfoProductName == \"SoftEther VPN\"\r\n| where InitiatingProcessAccountName == \"MSSQLSERVER\"\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on\r\nthe Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the\r\npost exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\r\nPossible web shell drop\r\nWeb shell activity\r\nPotential local privilege escalation\r\nAnomalous RDP activity\r\nAccessibility features modification\r\nCertutil-LOLBins\r\nBitsadmin activity\r\nSuspected LSASS dump\r\nCredential dumping service installation\r\nIndicators of compromise\r\nIn addition to compromised SOHO devices and compromised devices used for traffic proxying, Flax Typhoon\r\nmaintains actor-controlled network infrastructure, including virtual private servers (VPS). Over the course of the\r\ncampaign, the IP addresses listed in the table below were used during the corresponding timeframes.\r\nIP address First seen Last seen Description\r\n101.33.205[.]106 2022-11-07 2022-11-07 Flax Typhoon network infrastructure\r\n39.98.208[.]61 2023-07-28 2023-08-11 Flax Typhoon network infrastructure\r\n45.195.149[.]224 2023-01-04 2023-03-28 Flax Typhoon network infrastructure\r\n122.10.89[.]230 2023-01-12 2023-01-12 Flax Typhoon network infrastructure\r\n45.204.1[.]248 2023-02-23 2023-05-09 Flax Typhoon network infrastructure\r\n45.204.1[.]247 2023-07-24 2023-08-09 Flax Typhoon network infrastructure\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 9 of 11\n\n45.88.192[.]118 2022-11-07 2022-11-07 Flax Typhoon network infrastructure\r\n154.19.187[.]92 2022-12-01 2022-12-01 Flax Typhoon network infrastructure\r\n134.122.188[.]20 2023-06-13 2023-06-19 Flax Typhoon network infrastructure\r\n104.238.149[.]146 2023-07-13 2023-07-13 Flax Typhoon network infrastructure\r\n139.180.158[.]51 2022-08-30 2023-07-26 Flax Typhoon network infrastructure\r\n192.253.235[.]107 2023-06-06 2023-06-06 Flax Typhoon network infrastructure\r\nFlax Typhoon hosts its SofEther VPN servers on its own network infrastructure. Because the servers use the\r\nHTTPS protocol to disguise network traffic, they must present TLS certificates. Flax Typhoon used the certificates\r\nlisted in the table below on these VPN servers.\r\nSHA-1 TLS fingerprint Common name (CN)\r\n7992c0a816246b287d991c4ecf68f2d32e4bca18 vpn437972693.sednc[.]cn\r\n5437d0195c31bf7cedc9d90b8cb0074272bc55df asljkdqhkhasdq.softether[.]net\r\ncc1f0cdc131dfafd43f60ff0e6a6089cd03e92f1 vpn472462384.softether[.]net\r\n2c95b971aa47dc4d94a3c52db74a3de11d9ba658 softether\r\nReferences\r\nhttps://attack.mitre.org/techniques/T1190\r\nhttps://attack.mitre.org/techniques/T1505/003/\r\nhttps://attack.mitre.org/software/S0020/\r\nhttps://github.com/ohpe/juicy-potato\r\nhttps://github.com/BeichenDream/BadPotato\r\nhttps://attack.mitre.org/techniques/T1059\r\nhttps://attack.mitre.org/techniques/T1546/008/\r\nhttps://attack.mitre.org/techniques/T1105/\r\nhttps://github.com/SoftEtherVPN/SoftEtherVPN_Stable\r\nhttps://attack.mitre.org/techniques/T1543/003\r\nhttps://attack.mitre.org/techniques/T1036/005/\r\nhttps://github.com/SoftEtherVPN/SoftEtherVPN_Stable/blob/master/WARNING.TXT\r\nhttps://attack.mitre.org/techniques/T1572/\r\nhttps://attack.mitre.org/techniques/T1003/001/\r\nhttps://attack.mitre.org/techniques/T1003/002/\r\nhttps://attack.mitre.org/techniques/T1550/002/\r\nFurther reading\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 10 of 11\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organi\r\nzations/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/" ], "report_names": [ "flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations" ], "threat_actors": [ { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434883, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4bbeb07fbee225d3e8281e9cf41f592cf708def.pdf", "text": "https://archive.orkl.eu/f4bbeb07fbee225d3e8281e9cf41f592cf708def.txt", "img": "https://archive.orkl.eu/f4bbeb07fbee225d3e8281e9cf41f592cf708def.jpg" } }