Try in Splunk Security Cloud


Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group’s activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-08-25
  • Author: Michael Haag, Splunk
  • ID: 78fadce9-a07f-4508-8d14-9b20052a62cc


Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.


Name Technique Type
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows SQL Spawning CertUtil Ingress Tool Transfer TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP


source | version: 1