Flax Typhoon (Ethereal Panda / RedJuliett / Storm-0919 / UNC5007 / Taifa Typhoon) is a Chinese state-sponsored cyber-espionage actor active since at least mid-2021, formally attributed to operations of Integrity Technology Group (Integrity Tech), a Beijing-based PRC commercial cybersecurity company sanctioned by US Treasury OFAC on January 3, 2025 for its role in Flax Typhoon intrusions. The September 18, 2024 FBI/NSA/CNMF/Five Eyes joint cybersecurity advisory AA24-262A established the Integrity Tech attribution.
an unsealed FBI affidavit documented that Integrity Tech is 'responsible, at least in part, for the computer intrusion activities collectively attributed to Flax Typhoon.' This makes Flax Typhoon one of the most clearly attributed PRC-state-aligned clusters in the public corpus, with a named commercial contractor operating under PRC state tasking, paralleling the i-SOON-revealed MSS commercial-contractor model. Flax Typhoon's distinguishing operational characteristic is the operation of the Raptor Train botnet, one of the largest and most persistent state-aligned botnets ever publicly documented. Active since mid-2021, Raptor Train grew from approximately 60,000 compromised devices in 2023 to over 260,000 by mid-2024, built primarily from compromised SOHO routers, IP cameras, DVRs, network-attached storage, IoT devices, and firewalls, exploiting 66 known CVEs in public-facing devices including Log4Shell, Apache ActiveMQ, Citrix NetScaler, Ivanti Sentry and Endpoint Manager, and ServiceNow. Raptor Train serves as Flax Typhoon's operational relay box (ORB) network, providing low-cost, low-risk, deniable C2 infrastructure that obscures attribution and routes intrusion activity through compromised global infrastructure. The September 18, 2024 FBI court-authorized takedown of Raptor Train's primary C2 infrastructure (including remote malware removal from compromised devices and seizure of the w8510.com C2 domain with its upstream 1.2-million-record MySQL botnet-management database and the Sparrow application developed by Integrity Tech) represented the first major coordinated takedown of a PRC-state-aligned ORB network. Primary intrusion targeting consistently emphasizes Taiwan (government agencies, education, critical manufacturing, information technology, telecommunications, academia, and diplomatic entities) aligned with PRC cross-strait intelligence priorities. Hong Kong, Southeast Asia (Philippines, Vietnam, Thailand, Malaysia, Indonesia, Singapore), North America, and Africa form secondary targeting regions. The Raptor Train botnet's compromised devices span a global footprint, victim devices observed in North America, South America, Europe, Africa, Southeast Asia, and Australia. Tradecraft hallmarks distinguish Flax Typhoon from other PRC clusters: (a) extreme reliance on living-off-the-land (LOLBins) and legitimate software with minimal use of custom malware, Microsoft characterized this as 'using legitimate software to quietly access' victim organizations.
(b) signature use of SoftEther VPN as the C2 channel, the actor renames vpnbridge.exe to conhost.exe or dllhost.exe to masquerade as legitimate Windows components, then uses SoftEther's VPN-over-HTTPS mode to encapsulate Ethernet packets into compliant HTTPS traffic on TCP port 443 (extremely difficult to differentiate from legitimate HTTPS)
(c) initial access primarily through public-facing vulnerability exploitation rather than spear-phishing, 66 known CVEs documented in Zafran tracking.
(d) heavy LSASS / SAM credential dumping via Mimikatz followed by Pass-the-Hash lateral movement.
(e) China Chopper web shells for persistence; (f) Windows Remote Management (WinRM) and WMIC for living-off- the-land lateral movement.
(g) MS16-075 (legacy) leveraged for privilege escalation.
(h) the ORB / botnet operational relay infrastructure as the defining distinguishing capability. Note on PRC cluster boundaries: Flax Typhoon's targeting profile (Taiwan-focused intelligence collection) operationally complements but is distinct from Volt Typhoon (US critical- infrastructure pre-positioning), Salt Typhoon (US telecom and CALEA compromise), and Gallium (global telecom CDR collection). Together these clusters form the modern Chinese state-actor ORB-network and telecom-and-pre-positioning operational ecosystem documented by Microsoft's Typhoon taxonomy and the multiple FBI/NSA/CNMF joint advisories of 2023-2025.