China Unleashes Flax Typhoon APT to Live Off the Land, Microsoft Warns

The cyber-espionage group has created a stealthy, hard-to-mitigate network of persistent access across a range of organizations, but the endgame is unclear.

A China-backed advanced persistent threat (APT) group dubbed Flax Typhoon has installed a web of persistent, long-term infections inside dozens of Taiwanese organizations, likely to carry out an extensive cyber espionage campaign — and it did it using only minimal amounts of malware.
According to Microsoft, the state-sponsored cyberattack group is living off the land for the most part, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent operation.
For now, most of the victims of Flax Typhoon are clustered in Taiwan, according to
a warning on Flax Typhoon from Microsoft this week
. The computing giant isnt divulging the scope of the attacks, but noted that enterprises beyond Taiwan should be on notice.
The campaign is using techniques that could be easily reused in other operations outside the region, it warned. And indeed, in the past, the nation-state threat has targeted a broad range of industries (including government agencies and education, critical manufacturing, and information technology) throughout Southeast Asia, as well as in North America and Africa.
The full scope of the infections damage will be difficult to assess, given that detecting and mitigating this attack could be challenging, Microsoft warned. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated.
In contrast to many other APTs who excel at creating and evolving specific arsenals of
custom cyberattack tools
, Flax Typhoon prefers to take a less identifying route by using off-the-shelf malware and native Windows utilities (aka
living off the land binaries, or LOLbins
) that are harder to use for attribution.
Its infection routine in the latest spate of attacks observed by Microsoft is as follows:
Initial access:
This is done by exploiting known vulnerabilities in public-facing VPN, Web, Java, and SQL applications to deploy the commodity
China Chopper webshell
, which allows for remote code execution on the compromised server.
Privilege escalation:
If necessary, Flax Typhoon uses
Juicy Potato
, BadPotato, and other open source tools to exploit local privilege escalation vulnerabilities.
Establishing remote access:
Flax Typhoon uses the Windows Management Instrumentation command-line (WMIC) (or PowerShell, or the Windows Terminal with local administrator privileges) to disable network-level authentication (NLA) for Remote Desktop Protocol (RDP). This allows Flax Typhoon to access the Windows sign-in screen without authenticating and, from there, use the Sticky Keys accessibility feature in Windows to launch Task Manager with local system privileges. The attackers then install a legitimate VPN bridge to automatically connect to actor-controlled network infrastructure.
Persistence:
Flax Typhoon uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts, allowing the actor to monitor the availability of the compromised system and establish an RDP connection.
Lateral movement:
To access other systems on the compromised network, the actor uses other LOLBins, including Windows Remote Management (WinRM) and WMIC, to perform network and vulnerability scanning.
Credential access:
Flax Typhoon frequently deploys
Mimikatz
to automatically dump hashed passwords for users signed into the local system. The resulting password hashes can be cracked offline or used in pass-the-hash (PtH) attacks to access other resources on the compromised network.
Interestingly, the APT appears to be biding its time when it comes to executing an endgame, though data exfiltration is the likely goal (rather than the potential kinetic outcomes Microsoft recently flagged for
China-sponsored Volt Typhoon activity
).
This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence, according to Microsofts analysis. Flax Typhoons discovery and credential-access activities do not appear to enable further data-collection and exfiltration objectives. While the actors observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.
In its post, Microsoft offered a series of steps to take if organizations are compromised and need to assess the scale of Flax Typhoon activity within their networks and remediate an infection. To avoid the situation entirely, organizations should make sure that all public-facing servers are patched and up-to-date, and have additional monitoring and security such as user input validation, file integrity monitoring, behavioral monitoring, and Web application firewalls.
Admins can also monitor the Windows registry for unauthorized changes; monitor for any RDP traffic that could be considered unauthorized; and
harden account security with multifactor authentication
and other precautions.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China Unleashes Flax Typhoon APT to Live Off the Land, Microsoft Warns