🇨🇳Flax Typhoon
🇨🇳 Flax Typhoon is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 11 detection use cases to this actor across 18 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2025-11-06 to 2025-11-06.
crit 1
11Use cases
1Articles
18Techniques
0IOCs
Known aliases
Flax TyphoonEthereal Panda
Top techniques
All other tracked techniques
T1021.002 · SMB/Windows Admin SharesT1036.005 · Match Legitimate Resource Name or LocationT1059.001 · PowerShellT1059.005 · Visual BasicT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1547.001 · Registry Run Keys / Startup FolderT1555.003 · Credentials from Web BrowsersT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1569.002 · Service ExecutionT1574.002 · T1574.002
Detection use cases (11)
Flax Typhoon Sticky Keys / Accessibility Feature debugger hijack via IFEO registry Flax Typhoon SoftEther VPN bridge persistence (vpnbridge / vpnserver / vpnclient) Archive utility writing LNK/DLL/EXE to Windows Startup folder (RomCom CVE-2025-8088) Python interpreter executed from %TEMP% / Public — RomCom DLL side-load chain (CVE-2025-8088) Asset exposure — vulnerability matches article CVE(s) Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Remote service execution — PsExec / SMB lateral movement Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) RMM tool installed by non-IT user — remote-access utility for hands-on-keyboardThreat-intel articles (1)
crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06
Tracked indicators
CVEs (2)
CVE-2024-42009 CVE-2025-8088