virus logo Threat Actor

Flax Typhoon

Description

Flax Typhoon is one of the most active APT groups, carrying out information theft and espionage activities in line with the interests of the Chinese government. While the group focuses on various industries, including government and academic sectors in Taiwan, its activities have been observed on a global scale. Ethereal Panda, Storm-0919, UNC5007 and Red Juliet are known aliases for Flax Typhoon.

Aliases

  • Red Juliet
  • Ethereal Panda
  • UNC5007
  • Storm-0919

Targeted Industries

  • Critical Manufacturing
  • Education
  • Government
  • Information Technology
  • Technology
  • Think Tank

Known Tools Used

  • BadPotato
  • bitsadmin
  • certutil
  • China Chopper
  • Juicy Potato
  • Mimikatz
  • PowerShell
  • RDP
  • SCM
  • SoftEther VPN
  • Windows Terminal
  • WinRM
  • WMIC
  • netsh
  • ntdsutil
  • • Raptor Train botnet

References

Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers (USDOJ)
https://www.justice.gov/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-state

Flax Typhoon using legitimate software to quietly access Taiwanese organizations (Microsoft)
https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

Treasury Sanctions Technology Company for Support to Malicious Cyber Group (U.S. Department of the Treasury)
https://home.treasury.gov/news/press-releases/jy2769

Flax Typhoon

ID

5561

Published

Apr 01, 2026

Threat Actor Type

Nation-State

Attacker Origins

  • China

Target Systems

  • Windows

Regions Targeted

  • Africa
  • Asia
  • SouthEast Asia
  • North America

Active CVEs