
Flax Typhoon
China-state cyber actor operating Raptor Train botnet to compromise global critical infrastructure.
Last refreshed: 20 May 2026 · Appears in 1 active topic
If Flax Typhoon's IOC-extinction model is now shared with UAT-8616, how do defenders track an actor that leaves no persistent indicators?
Timeline for Flax Typhoon
UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: Norway joins the Salt Typhoon victim list
Cybersecurity: Threats and DefencesSixteen agencies put IOC extinction in print
Cybersecurity: Threats and DefencesWhat is Flax Typhoon and who does it target?
How does Flax Typhoon avoid detection?
What is the connection between Flax Typhoon and Integrity Technology Group?
Background
Flax Typhoon is a China-nexus state-aligned cyber espionage actor that has been tracked by Western intelligence services since at least 2021. The group targets government agencies, defence contractors, telecoms providers, and universities primarily in Taiwan, Southeast Asia, and the United States. Flax Typhoon's tradecraft blends legitimate remote-access tooling (VPNs, legitimate Windows utilities) with low-footprint persistence techniques designed to survive endpoint detection. Its operational pattern prioritises long-term access and intelligence collection over destructive payloads, consistent with PRC strategic intelligence priorities rather than sabotage.
Flax Typhoon is assessed by the FBI to have used Integrity Technology Group, a Beijing-based company sanctioned by OFAC in December 2025, as its primary infrastructure provider and operator. Through Integrity Technology Group, Flax Typhoon managed the Raptor Train botnet, a network of 200,000+ compromised SOHO routers, NAS devices, cameras, and firewalls first mapped publicly in 2024. Raptor Train served as the covert relay network that masked Flax Typhoon's operational traffic behind a distributed layer of infected edge devices, making attribution and blocking significantly harder for defenders.
A 16-agency joint advisory signed on 23 April 2026 formally named Flax Typhoon as the actor behind China-nexus covert networks targeting critical national infrastructure including energy, healthcare, transport, digital infrastructure, and government sectors. The advisory is the most comprehensive public attribution of Flax Typhoon to date, connecting the actor directly to Integrity Technology Group and Raptor Train with the institutional weight of agencies including NCSC, CISA, NSA, FBI, the Australian Signals Directorate, and their German, Dutch, Japanese, New Zealand, Spanish, and Swedish counterparts.
The advisory explicitly flagged IOC extinction as the defining defensive challenge posed by Flax Typhoon's infrastructure model: indicators of compromise disappear as fast as defenders publish them because the botnet cycles through infected end-of-life devices that cannot be patched and are quickly replaced. For UK and allied network defenders, this makes blocklist-based defences structurally insufficient against this actor, and the advisory recommendations pivot towards edge-device traffic baselining and dynamic threat-feed filtering instead.
Flax Typhoon's ORB infrastructure model has since been observed in adjacent actor activity. UAT-8616, confirmed exploiting Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) in May 2026, operates ORB relay infrastructure with assessed (but not formally attributed) overlap with the Flax Typhoon and Integrity Technology Group networks named in the April advisory. Whether UAT-8616 is a distinct actor, a sub-cluster, or an infrastructure sharer remains publicly unresolved. The structural overlap reinforces that the IOC-extinction model is not unique to Flax Typhoon's own operations but may be available to any actor with access to the same compromised-device pool.