Overview
Flax Typhoon is a suspected state-sponsored threat group that has targeted organizations in Taiwan and potentially other regions using living-off-the-land (LotL) techniques and native Windows utilities to avoid detection.
Tactics, Techniques, and Procedures (TTPs)
- T1059 - Command and Scripting Interpreter
- T1071.001 - Application Layer Protocol: Web Protocols
- T1021.002 - Remote Services: SMB/Windows Admin Shares
- T1027 - Obfuscated Files or Information
- T1087.002 - Account Discovery: Domain Account
View this mapping using official
MITRE ATT&CK Navigator
Indicators of Compromise (IOCs)
- Observed use of PsExec for remote command execution
- Abuse of legitimate accounts for lateral movement
- Connection to remote web services for data exfiltration
- Persistence via registry run keys and WMI event subscriptions
Attribution and Context
Publicly disclosed by Microsoft Threat Intelligence, Flax Typhoon’s activity is associated with long-term espionage campaigns. The group maintains access using built-in tools and focuses on stealth rather than speed of exfiltration.
MITRE ATT&CK Mapping
- T1059 – Command and Scripting Interpreter
- T1021.002 – SMB/Windows Admin Shares
- T1087.002 – Account Discovery: Domain Account
- T1027 – Obfuscated Files or Information
Layer viewable in MITRE Navigator: https://www.flaxtyphoon.com/flaxtyphoon_attack_layer.json
