Flax Typhoon Used Raptor Train IoT Botnet to Mask Critical Infrastructure Intrusions
U.S. authorities and private-sector researchers said the China-linked threat actor Flax Typhoon operated a sprawling IoT botnet known as Raptor Train to conceal intrusions into critical infrastructure networks. Black Lotus Labs said the botnet had been active since 2020, at one point exceeding 60,000 live nodes and compromising more than 200,000 routers, NAS devices, IP cameras, and other internet-exposed systems. The operation used a multi-tier architecture and a custom Mirai-derived implant called Nosedive, which enabled remote command execution, file transfer, and retained DDoS capability while using in-memory execution and anti-forensics techniques. Researchers linked the activity to targeting in the United States and Taiwan across government, military, telecommunications, higher education, defense industrial base, and IT sectors, alongside scanning and likely exploitation attempts against Atlassian Confluence and Ivanti Connect Secure appliances.
The FBI and Department of Justice said they disrupted the botnet in a court-authorized operation that removed malware from infected routers, and officials later said the action effectively dismantled infrastructure used by Chinese operators to hide follow-on hacking. Subsequent reporting said the botnet exploited dozens of vulnerabilities across edge and IoT products, with VulnCheck identifying 66 actively targeted CVEs tied to the campaign, far more than were listed in CISA’s Known Exploited Vulnerabilities catalog. Additional reporting also pointed to corporate links around Integrity Technology, described as connected to Flax Typhoon and tied through competitive, partner, and client relationships to i-SOON, adding to the picture of a broader Chinese intrusion ecosystem supporting espionage and potential disruptive operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Research highlights Integrity Technology ties to Flax Typhoon and i-SOON
On September 25, 2024, Natto Thoughts published research describing Integrity Technology as linked to Flax Typhoon and noting it was a competitor, business partner, and client of i-SOON. This added corporate relationship context to public understanding of the ecosystem around the threat activity.
VulnCheck reports Flax Typhoon botnet targeting 66 vulnerabilities
On September 24, 2024, Cybersecurity Dive reported VulnCheck findings that a Flax Typhoon-associated botnet was actively exploiting 66 vulnerabilities, while only 27 appeared in CISA’s Known Exploited Vulnerabilities catalog. The reporting said the Mirai-variant botnet had exploited more than 260,000 IoT devices globally and targeted critical infrastructure providers.
U.S. and Five Eyes publish Flax Typhoon TTP advisory
On 2024-09-18, the DOJ said the FBI and U.S. government partners published a joint cybersecurity advisory with Five Eyes partners detailing the tactics, techniques, and procedures used by the Flax Typhoon-linked botnet operated through Integrity Technology Group. The advisory accompanied the botnet disruption and provided new official technical guidance on the campaign.
FBI says Chinese operators lost their botnet infrastructure
On September 18, 2024, reporting on remarks by the FBI director said Chinese spies had effectively 'burned down' their botnet after disruption efforts. This reflected official U.S. commentary on the impact of actions taken against the Flax Typhoon-linked network.
Black Lotus Labs publicly links Raptor Train to Flax Typhoon
On September 18, 2024, Lumen’s Black Lotus Labs published research on the Raptor Train botnet, assessing it was likely operated by the Chinese state-linked threat actor Flax Typhoon. Lumen said it shared intelligence with the U.S. government and null-routed traffic to known botnet infrastructure.
Raptor Train campaigns continue through August 2024
Black Lotus Labs said it tracked four campaigns—Crossbill, Finch, Canary, and Oriole—showing the botnet’s growth, infrastructure changes, and broader device exploitation through August 2024. The activity included targeting U.S. and Taiwanese organizations and likely exploitation attempts against Confluence and Ivanti Connect Secure systems.
U.S. government announces disruption of PRC-linked botnet
On January 31, 2024, the U.S. Department of Justice announced a U.S. government operation to disrupt a botnet used by the People’s Republic of China to conceal hacking targeting critical infrastructure. Reporting also described the FBI wiping malware from infected routers as part of the disruption.
Raptor Train reaches peak of over 60,000 active devices
Black Lotus Labs reported that the botnet peaked at more than 60,000 active compromised devices in June 2023. Over its lifetime, the operation is said to have conscripted more than 200,000 devices globally.
Raptor Train botnet activity begins
Black Lotus Labs assessed that the China-linked Raptor Train IoT botnet began operating in May 2020. The botnet was later linked to Flax Typhoon and used compromised SOHO routers, IoT devices, NAS systems, and cameras as part of a multi-tier infrastructure.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON
nattothoughts.substack.com
Open sourceFlax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON
nattothoughts.com
Open sourceCISA catalog falls short on CVEs targeted by Flax Typhoon | Cybersecurity Dive
cybersecuritydive.com
Open sourceOffice of Public Affairs | Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers | United States Department of Justice
justice.gov
Open sourceDerailing the Raptor Train
lumen.com
Open sourceFBI director says Chinese spies 'burned down' their botnet
theregister.com
Open sourceChinese botnet infects 260,000 SOHO routers, IP cameras with malware
bleepingcomputer.com
Open sourceFBI disrupts Chinese botnet by wiping malware from infected routers
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Groups Built Covert Botnets From Compromised Routers and IoT Devices
A joint advisory from the UK **NCSC**, the United States, and other international partners warned that China-nexus threat actors are increasingly using large covert networks of compromised **SOHO routers, IoT devices, firewalls, and NAS systems** to route malicious traffic, hide attribution, and support espionage and disruptive operations. The warning said these botnet-style proxy networks are used across the full cyber kill chain, from reconnaissance and malware delivery to command-and-control and data theft, and identified activity tied to **Volt Typhoon**, **Flax Typhoon**, and the **Raptor Train** botnet. Officials said Volt Typhoon’s **KV Botnet** relied heavily on end-of-life Cisco and Netgear routers, while Raptor Train infected more than **200,000** devices worldwide and was reportedly controlled by **Integrity Technology Group**. Governments said the scale and churn of these compromised-device networks make traditional static IP blocklists increasingly ineffective, creating what some reporting described as rapid indicator loss or “IOC extinction.” Agencies urged organizations to map internet-facing and edge assets, baseline normal traffic from routers and IoT devices, enforce **MFA**, apply dynamic threat intelligence, use allow-listing and **zero trust** controls, and actively hunt for suspicious proxy-node behavior on residential, branch, and enterprise-connected infrastructure. The disclosures also linked the threat to broader Chinese pre-positioning activity against critical infrastructure and telecom environments, underscoring how weakly secured edge devices continue to provide durable operational cover for state-backed intrusions.
Apr 27, 2026
China-Linked Volt Typhoon and Flax Typhoon Use Stealthy Access in Critical Sectors
Microsoft and U.S. officials said China-linked threat groups **Volt Typhoon** and **Flax Typhoon** used living-off-the-land techniques and legitimate software to quietly compromise targets while minimizing detection. Volt Typhoon was tied to intrusions affecting U.S. critical infrastructure, with reporting describing the group as breaching networks through stealthy post-compromise activity rather than malware-heavy tradecraft. U.S. agencies later warned that the campaign appeared aimed at **pre-positioning** inside critical infrastructure for potential disruptive or destructive operations. Microsoft separately reported that **Flax Typhoon** targeted organizations in Taiwan for cyber-espionage, relying on valid credentials, remote access tools, and other trusted utilities to maintain persistence and blend into normal network activity. Subsequent reporting and later tracking indicated that Volt Typhoon remained active against U.S. infrastructure, reinforcing concerns that Chinese state-linked operators are sustaining long-term access across strategically important environments while using native tools and legitimate software to evade defenders.
May 26, 2026
US Disrupts Volt Typhoon KV Botnet Built on Compromised SOHO Routers
The U.S. Department of Justice said a court-authorized FBI operation disrupted the **KV Botnet**, a network of hundreds of compromised small office and home office routers that the PRC-linked group **Volt Typhoon** used to mask follow-on intrusions against U.S. and foreign targets, including critical infrastructure. Officials said the botnet relied heavily on end-of-life **Cisco** and **NetGear** devices, and that the FBI removed malware from affected U.S.-based routers and severed communications with botnet controllers without disrupting legitimate router functions or collecting content. The government tied the activity to broader Chinese pre-positioning against sectors including communications, energy, transportation, and water, while warning that unsupported devices remain vulnerable to reinfection unless replaced or fully remediated. Reporting on the takedown said the action mirrored earlier U.S. botnet disruptions such as the 2022 operation against **Cyclops Blink**, the **Sandworm/GRU** botnet that abused WatchGuard and ASUS devices as command-and-control infrastructure. Subsequent research from Censys found that KV Botnet control infrastructure evolved after the December 2023 disruption, with operators in the **JDY** cluster largely retaining the same infrastructure patterns while shifting hosting providers and continuing activity linked to vulnerable `Cisco RV320/RV325` routers. The researchers said the botnet’s comparatively exposed infrastructure did not fully match Volt Typhoon’s usual stealthy tradecraft, raising questions about whether the KV Botnet was operated directly by Volt Typhoon or by a separate but related actor.
May 25, 2026