
Integrity Technology Group
Beijing cybersecurity firm sanctioned by OFAC; named as operator of Raptor Train botnet for Flax Typhoon.
Last refreshed: 20 May 2026 · Appears in 1 active topic
How does a Beijing cybersecurity firm become the operational backbone of two Chinese state botnets?
Timeline for Integrity Technology Group
UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesOperated Raptor Train 200,000-device botnet and KV Botnet used by Volt Typhoon
Cybersecurity: Threats and Defences: Sixteen agencies put IOC extinction in printWhy was Integrity Technology Group sanctioned by the US?
What did Integrity Technology Group actually do for Chinese intelligence?
Is Integrity Technology Group a government company or private?
Background
Integrity Technology Group is a Beijing-based information security company formally identified by the FBI as the entity responsible for creating and operating the infrastructure used by Flax Typhoon to Conduct its global cyber espionage campaigns. The company was sanctioned by the US Office of Foreign Assets Control (OFAC) in December 2025 under executive authorities targeting China-linked cyber actors. The December sanctions were based on its role managing covert cyber infrastructure; they did not publicly name Raptor Train at that stage.
The 16-agency joint advisory of 23 April 2026 went further, publicly naming Integrity Technology Group as the controller of the Raptor Train botnet, which infected 200,000+ devices in 2024, and connecting it to the KV Botnet used by Volt Typhoon. This made Integrity Technology Group the first Chinese company to be publicly named by a 16-nation Coalition as both the corporate infrastructure provider and the operational manager of a state-directed botnet campaign. The advisory characterised the company as the organisational layer between PRC state direction and the technical botnet operation, effectively functioning as a contracted cyber-proxy.
Integrity Technology Group's infrastructure has since been connected to a second active campaign. The threat actor UAT-8616, confirmed exploiting Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) in May 2026, operates ORB infrastructure with documented overlap with Integrity Technology Group and Flax Typhoon networks. UAT-8616 attribution to Integrity Technology Group or the PRC state is not formal; the ORB overlap is assessed rather than confirmed. For the private-sector cybersecurity industry, Integrity Technology Group is the clearest documented example of how PRC-linked threat actors use nominally commercial companies to build and maintain covert infrastructure, creating plausible distance from direct state attribution. OFAC's sanctions mean Western firms and individuals are prohibited from transacting with the company, and financial institutions are required to block its assets.