Skip to content
You can now search across every topic, entity and event.What's new
Integrity Technology Group
OrganisationCN

Integrity Technology Group

Beijing cybersecurity firm sanctioned by OFAC; named as operator of Raptor Train botnet for Flax Typhoon.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

How does a Beijing cybersecurity firm become the operational backbone of two Chinese state botnets?

Timeline for Integrity Technology Group

#414 May

UAT-8616 keeps Cisco SD-WAN under fire

Cybersecurity: Threats and Defences
#223 Apr

Operated Raptor Train 200,000-device botnet and KV Botnet used by Volt Typhoon

Cybersecurity: Threats and Defences: Sixteen agencies put IOC extinction in print
View full timeline →
Common Questions
Why was Integrity Technology Group sanctioned by the US?
OFAC sanctioned Integrity Technology Group in December 2025 because the FBI assessed it as responsible for creating and operating the cyber infrastructure used by Flax Typhoon, a China-state espionage actor. The company managed the Raptor Train botnet, which compromised over 200,000 devices globally. The April 2026 16-agency advisory added that it also controlled the KV Botnet used by Volt Typhoon.Source: OFAC / NCSC 16-agency advisory
What did Integrity Technology Group actually do for Chinese intelligence?
It built and managed two large botnets used by PRC-linked threat actors: Raptor Train (200,000+ compromised SOHO routers, cameras, and NAS devices, used by Flax Typhoon) and KV Botnet (Cisco and Netgear routers, used by Volt Typhoon). These botnets served as covert relay networks that masked the origin of Chinese state intrusion operations targeting Western critical infrastructure.Source: FBI / 16-agency advisory
Is Integrity Technology Group a government company or private?
Integrity Technology Group is nominally a private Beijing-based cybersecurity company. However, the FBI assessed it as directly responsible for Flax Typhoon's intrusion activities, and the 16-agency advisory characterises it as the operational layer between PRC state direction and the botnet infrastructure. OFAC's sanctions treat it as effectively acting on behalf of the Chinese state.Source: FBI / NCSC

Background

Integrity Technology Group is a Beijing-based information security company formally identified by the FBI as the entity responsible for creating and operating the infrastructure used by Flax Typhoon to Conduct its global cyber espionage campaigns. The company was sanctioned by the US Office of Foreign Assets Control (OFAC) in December 2025 under executive authorities targeting China-linked cyber actors. The December sanctions were based on its role managing covert cyber infrastructure; they did not publicly name Raptor Train at that stage.

The 16-agency joint advisory of 23 April 2026 went further, publicly naming Integrity Technology Group as the controller of the Raptor Train botnet, which infected 200,000+ devices in 2024, and connecting it to the KV Botnet used by Volt Typhoon. This made Integrity Technology Group the first Chinese company to be publicly named by a 16-nation Coalition as both the corporate infrastructure provider and the operational manager of a state-directed botnet campaign. The advisory characterised the company as the organisational layer between PRC state direction and the technical botnet operation, effectively functioning as a contracted cyber-proxy.

Integrity Technology Group's infrastructure has since been connected to a second active campaign. The threat actor UAT-8616, confirmed exploiting Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) in May 2026, operates ORB infrastructure with documented overlap with Integrity Technology Group and Flax Typhoon networks. UAT-8616 attribution to Integrity Technology Group or the PRC state is not formal; the ORB overlap is assessed rather than confirmed. For the private-sector cybersecurity industry, Integrity Technology Group is the clearest documented example of how PRC-linked threat actors use nominally commercial companies to build and maintain covert infrastructure, creating plausible distance from direct state attribution. OFAC's sanctions mean Western firms and individuals are prohibited from transacting with the company, and financial institutions are required to block its assets.

More questions
Is UAT-8616 linked to Integrity Technology Group?
UAT-8616's ORB infrastructure (a compromised-router relay network used to launder attacker traffic) has documented overlap with Integrity Technology Group and Flax Typhoon networks identified in the April 2026 16-agency advisory. The connection is assessed rather than formally attributed; a direct command relationship between UAT-8616 and Integrity Technology Group has not been publicly confirmed.Source: CISA ED 26-03
Source Material