Threat hunters at Microsoft have caught a Chinese government-backed APT actor hacking into organizations in Taiwan with minimal use of malware and maintaining stealthy persistence by abusing legitimate software tools.
The cyberespionage operation, tagged with the moniker Flax Typhoon, hacks into organizations by exploiting known vulnerabilities in public-facing servers and then using legitimate tools built into the Windows operating system and otherwise benign software to quietly remain in these networks.
“Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated,” Microsoft warned in a research note documenting the Flax Typhoon activities.
The Redmond, Wash. software giant said the hacking techniques could easily be reused in targeted attacks and urged defenders to hunt for signs of compromise and thoroughly remove malicious tools and C2 infrastructure. In addition, businesses in the crosshairs of APT actors should check logs for signs of compromised accounts that may have been used for malicious purposes.
“[The] observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible,” Microsoft warned, noting that the hacking group has been active since at least mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan.
The company said it saw victims elsewhere in Southeast Asia, as well as in North America and Africa.
Microsoft’s threat intelligence team published details on Flax Typhoon’s use of command-line tools to first establish persistent access over the remote desktop protocol, deployment of a VPN connection to actor-controlled network infrastructure, and siphoning of credentials from compromised systems.
In cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, Microsoft said it caught the APT group using LOLBins, including Windows Remote Management (WinRM) and WMIC.
Once persistence is established, Microsoft said the hackers start harvesting credentials using common tools and techniques, including the targeting of the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive.
Related: Iranian APTs Caught Exploiting PaperCut Vulnerability
Related: Microsoft Hack Exposed More Than Exchange, Outlook Emails
Related: Microsoft Bows to Pressure to Free Up Security Logs
Related: Microsoft Naming Threat Actors After Weather Events

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
