Flax Typhoon Group Abusing Built-in Operating System Tools to Deploy Malware

With the rapid evolution of technology, the threat actors, along with their attacks, are also getting more sophisticated and evolving at an increasing pace, posing a growing threat to vital infrastructure and sensitive data.

The organizations that are based in Taiwan have been actively targeted with a set of techniques under a new campaign in which unusual attack patterns were detected recently by Microsoft, that could be applied globally across several sectors.

In a report shared with Cyber Security News, the cybersecurity analysts at Microsoft have linked this campaign to ‘Flax Typhoon,’ a Chinese nation-state actor that has links with ‘ETHEREAL PANDA.’

Besides this, it’s been asserted by the researchers that the objective of the threat actors behind this campaign is to achieve long-term espionage and access across various industries.

Since mid-2021, this Chinese nation-state actor, Flax Typhoon, has been active and targeted the following sectors in Taiwan:-

  • Government agencies
  • Education organizations
  • Critical manufacturing organizations
  • Information technology organizations

However, apart from Taiwan, this group has also targeted the victims from the following regions:-

  • Southeast Asia
  • North America
  • Africa

Tools Used

Here below, we have mentioned all the tools that are found to be used by the Flax Typhoon:-

Attack Chain

With the deployment of the China Chopper web shell and the exploitation of the known vulnerabilities present in the public-facing servers, the Flax Typhoon operators gain initial access.

Once the initial access is achieved, the operators seek to establish long-lasting RDP control by deploying the following things to gather compromised system credentials:-

Attack chain (Source – Microsoft)

Besides the above-mentioned tools, it’s been observed that Flax Typhoon primarily relies on living-off-the-land techniques and hands-on-keyboard activity.

After breaching with admin privileges via WMIC, PowerShell, or Windows Terminal, Flax Typhoon evades NLA, swaps Sticky Keys, and VPN links to the compromised system, ensuring long-term access.

Command disabling NLA (Source – Microsoft)

Flax Typhoon exploits Sticky Keys by tweaking registry keys, making Task Manager launch with system privileges when they use the shortcut on the sign-in screen.

Next, it fetches the SoftEther VPN via sneaky tools like Invoke-WebRequest, renames it to mimic legit Windows components (conhost.exe), and disguises it within VPN-over-HTTPS. This makes RDP connections hard to spot, which is aided by WinRM and WMIC for lateral movement.

Moreover, it’s been identified that after the infiltration, Flax Typhoon used typical methods to steal the credentials, mainly hitting up LSASS and SAM, where user hashes are stored.

With Mimikatz, they often extract these hashes, which are useful for offline cracking or pass-the-hash attacks on the network.


Here below we have mentioned all the recommendations:-

  • Make sure to keep the public-facing servers updated.
  • For unauthorized changes, always keep monitoring the Windows registry.
  • To detect unusual traffic and to keep your network safe, make sure to use network monitoring and intrusion detection systems.
  • Always keep Windows systems patched with the latest available security patches.
  • Reduce account risks with strong MFA policies.
  • Use LAPS to randomize Admin passwords to prevent lateral movement.
  • Enable cloud protection in Microsoft Defender for evolving threats like Flax Typhoon.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.