China-Linked Volt Typhoon and Flax Typhoon Use Stealthy Access in Critical Sectors
Microsoft and U.S. officials said China-linked threat groups Volt Typhoon and Flax Typhoon used living-off-the-land techniques and legitimate software to quietly compromise targets while minimizing detection. Volt Typhoon was tied to intrusions affecting U.S. critical infrastructure, with reporting describing the group as breaching networks through stealthy post-compromise activity rather than malware-heavy tradecraft. U.S. agencies later warned that the campaign appeared aimed at pre-positioning inside critical infrastructure for potential disruptive or destructive operations.
Microsoft separately reported that Flax Typhoon targeted organizations in Taiwan for cyber-espionage, relying on valid credentials, remote access tools, and other trusted utilities to maintain persistence and blend into normal network activity. Subsequent reporting and later tracking indicated that Volt Typhoon remained active against U.S. infrastructure, reinforcing concerns that Chinese state-linked operators are sustaining long-term access across strategically important environments while using native tools and legitimate software to evade defenders.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CybelAngel reports Volt Typhoon remains active in US critical infrastructure
A 2026 analysis said Volt Typhoon was still active in U.S. critical infrastructure, indicating the campaign had persisted beyond the initial 2023 disclosures. The report framed the threat as ongoing rather than historical, underscoring continued concern about long-term access and resilience risks.
CISA and FBI warn Volt Typhoon is pre-positioning for disruptive attacks
U.S. authorities warned that China-linked hackers associated with Volt Typhoon were pre-positioning in critical infrastructure networks to enable potential disruptive or destructive attacks during a future crisis. The warning marked an escalation from earlier public reporting focused primarily on stealthy access and espionage.
Additional reporting details Flax Typhoon tradecraft
Follow-on reporting summarized Microsoft's disclosure that Flax Typhoon used legitimate tools for cyber-espionage against Taiwanese organizations. The reports emphasized the actor's reliance on living-off-the-land techniques and legitimate remote access software to reduce visibility.
Microsoft reveals Flax Typhoon targeting Taiwanese organizations
Microsoft disclosed a separate China-linked espionage group, Flax Typhoon, describing its use of legitimate software and quiet access methods against organizations in Taiwan. The company said the actor focused on espionage and persistence while blending into normal administrative activity.
Public reporting amplifies Volt Typhoon breach details
Media reporting on the same day highlighted Microsoft's findings that Chinese hackers had breached U.S. critical infrastructure networks in stealthy attacks. The coverage reinforced that the campaign relied on built-in tools and compromised small office/home office network equipment to evade detection.
Microsoft discloses Volt Typhoon intrusions into US critical infrastructure
Microsoft reported that the China-linked threat actor Volt Typhoon had targeted U.S. critical infrastructure organizations and used living-off-the-land techniques to maintain stealthy access. The activity was described as focused on espionage and persistence across sectors including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Volt Typhoon 2026: Still Active in US Critical Infrastructure
cybelangel.com
Open sourceCISA, FBI warn of China-linked hackers pre-positioning for ‘destructive cyberattacks against US critical infrastructure’ | The Record from Recorded Future News
therecord.media
Open sourceMicrosoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage
hackread.com
Open sourceFlax Typhoon using legitimate software to quietly access Taiwanese organizations | Microsoft Security Blog
microsoft.com
Open sourceChinese hackers breach US critical infrastructure in stealthy attacks
bleepingcomputer.com
Open sourceVolt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog
microsoft.com
Open sourceUS govt, FireEye breached after SolarWinds supply-chain attack
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Flax Typhoon Used Raptor Train IoT Botnet to Mask Critical Infrastructure Intrusions
U.S. authorities and private-sector researchers said the China-linked threat actor **Flax Typhoon** operated a sprawling IoT botnet known as **Raptor Train** to conceal intrusions into critical infrastructure networks. Black Lotus Labs said the botnet had been active since 2020, at one point exceeding 60,000 live nodes and compromising more than 200,000 routers, NAS devices, IP cameras, and other internet-exposed systems. The operation used a multi-tier architecture and a custom Mirai-derived implant called `Nosedive`, which enabled remote command execution, file transfer, and retained **DDoS** capability while using in-memory execution and anti-forensics techniques. Researchers linked the activity to targeting in the United States and Taiwan across government, military, telecommunications, higher education, defense industrial base, and IT sectors, alongside scanning and likely exploitation attempts against **Atlassian Confluence** and **Ivanti Connect Secure** appliances. The **FBI** and Department of Justice said they disrupted the botnet in a court-authorized operation that removed malware from infected routers, and officials later said the action effectively dismantled infrastructure used by Chinese operators to hide follow-on hacking. Subsequent reporting said the botnet exploited dozens of vulnerabilities across edge and IoT products, with VulnCheck identifying **66 actively targeted CVEs** tied to the campaign, far more than were listed in CISA’s Known Exploited Vulnerabilities catalog. Additional reporting also pointed to corporate links around **Integrity Technology**, described as connected to Flax Typhoon and tied through competitive, partner, and client relationships to **i-SOON**, adding to the picture of a broader Chinese intrusion ecosystem supporting espionage and potential disruptive operations.
May 26, 2026
China-Linked Groups Built Covert Botnets From Compromised Routers and IoT Devices
A joint advisory from the UK **NCSC**, the United States, and other international partners warned that China-nexus threat actors are increasingly using large covert networks of compromised **SOHO routers, IoT devices, firewalls, and NAS systems** to route malicious traffic, hide attribution, and support espionage and disruptive operations. The warning said these botnet-style proxy networks are used across the full cyber kill chain, from reconnaissance and malware delivery to command-and-control and data theft, and identified activity tied to **Volt Typhoon**, **Flax Typhoon**, and the **Raptor Train** botnet. Officials said Volt Typhoon’s **KV Botnet** relied heavily on end-of-life Cisco and Netgear routers, while Raptor Train infected more than **200,000** devices worldwide and was reportedly controlled by **Integrity Technology Group**. Governments said the scale and churn of these compromised-device networks make traditional static IP blocklists increasingly ineffective, creating what some reporting described as rapid indicator loss or “IOC extinction.” Agencies urged organizations to map internet-facing and edge assets, baseline normal traffic from routers and IoT devices, enforce **MFA**, apply dynamic threat intelligence, use allow-listing and **zero trust** controls, and actively hunt for suspicious proxy-node behavior on residential, branch, and enterprise-connected infrastructure. The disclosures also linked the threat to broader Chinese pre-positioning activity against critical infrastructure and telecom environments, underscoring how weakly secured edge devices continue to provide durable operational cover for state-backed intrusions.
Apr 27, 2026
Dragos Reports Volt Typhoon Remains Embedded in US Critical Infrastructure
Dragos’ annual OT threat report warns that the China-linked **Volt Typhoon** operation (tracked by Dragos as **Voltzite**) continued compromising US critical infrastructure through 2025, including **electric, oil, and gas** organizations, by abusing edge devices such as **cellular gateways and routers** to gain and maintain long-term access. Dragos CEO Robert M. Lee said the activity is oriented toward *pre-positioning* for future disruption rather than intellectual property theft, with intrusions aimed at achieving persistence and, in some cases, getting “inside the control loop” of industrial processes. US authorities and Dragos assess the strategic objective as establishing footholds in operational technology environments to enable **destructive or disruptive attacks** that could impede US response and military mobilization during a crisis. Lee also cautioned that some compromised sites in the US and allied countries may **never be identified**, particularly among smaller or less mature utilities (notably in the **water sector**), even as forthcoming US regulations over the next several years may improve detection and remediation capabilities across parts of the energy sector.
Mar 21, 2026