Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese-Backed APT ‘Flax Typhoon’ Hacks Taiwan With Minimal Malware Footprint

Microsoft warns that Chinese spies are hacking into Taiwanese organizations with minimal use of malware and by abusing legitimate software.

China Hacks

Threat hunters at Microsoft have caught a Chinese government-backed APT actor hacking into organizations in Taiwan with minimal use of malware and maintaining stealthy persistence by abusing legitimate software tools.

The cyberespionage operation, tagged with the moniker Flax Typhoon, hacks into organizations by exploiting known vulnerabilities in public-facing servers and then using legitimate tools built into the Windows operating system and otherwise benign software to quietly remain in these networks. 

“Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated,” Microsoft warned in a research note documenting the Flax Typhoon activities.

The Redmond, Wash. software giant said the hacking techniques could easily be reused in targeted attacks and urged defenders to hunt for signs of compromise and thoroughly remove malicious tools and C2 infrastructure.  In addition, businesses in the crosshairs of APT actors should check logs for signs of compromised accounts that may have been used for malicious purposes.

“[The] observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible,” Microsoft warned,  noting that the hacking group has been active since at least mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan. 

The company said it saw victims elsewhere in Southeast Asia, as well as in North America and Africa. 

Microsoft’s threat intelligence team published details on Flax Typhoon’s use of command-line tools to first establish persistent access over the remote desktop protocol, deployment of a VPN connection to actor-controlled network infrastructure, and siphoning of credentials from compromised systems.  

In cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, Microsoft said it caught the APT group using LOLBins, including Windows Remote Management (WinRM) and WMIC.

Advertisement. Scroll to continue reading.

Once persistence is established, Microsoft said the hackers start harvesting credentials using common tools and techniques, including the targeting of the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive.

Related: Iranian APTs Caught Exploiting PaperCut Vulnerability

Related: Microsoft Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Bows to Pressure to Free Up Security Logs

Related: Microsoft Naming Threat Actors After Weather Events

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.