Flax Typhoon / Ethereal Panda

Flax Typhoon is a PRC state-sponsored threat group that has primarily targeted Taiwanese organizations across government, education, critical manufacturing, and IT sectors. The group has expanded operations to include IoT botnet development using compromised SOHO routers and network devices.

Attribute	Detail
Names	Flax Typhoon / Ethereal Panda
Attribution	PRC State-Sponsored
Active Since	2021
Primary Focus	Taiwan-focused espionage expanding to broader targets. IoT botnet operations via compromised SOHO routers.

Overview

Attribution

Flax Typhoon / Ethereal Panda is attributed to PRC State-Sponsored, active since at least 2021. Taiwan-focused espionage expanding to broader targets. IoT botnet operations via compromised SOHO routers.

Notable Campaigns

Taiwan government and education sector espionage campaigns (2021-present)
IoT botnet operations via compromised routers and cameras
Exploitation of VPN appliances and public-facing applications
Living-off-the-land techniques for persistence on victim networks

MITRE ATT&CK Mapping

Technique ID	Technique	Confidence
`T1190`	Exploit Public-Facing Application	High
`T1078`	Valid Accounts	High
`T1021`	Remote Services	High
`T1059`	Command and Scripting Interpreter	High
`T1105`	Ingress Tool Transfer	High

Detection & Defense

Recommended Defenses

Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for Flax Typhoon activity patterns.

Mjolnir Security — Threat Intelligence & Response

Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting Flax Typhoon TTPs in your environment.

Threat Hunting Incident Response Threat Intelligence SOC-as-a-Service

mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875