The Harvester of Roots: Flax Typhoon

Threat Intelligence Tarot

Vol. II · 87

China (MSS - Integrity Technology Group)

★★★★★

risk 4/5

✦ The Harvester of Roots ✦

Flax Typhoon

Ethereal Panda · Storm-0919

TaiwanPhilippinesMalaysiaGovernmentCritical infrastructureSOHO devices

Active since ~2021 · Espionage, Pre-positioning, Persistent access

The Harvester does not harvest data but terrain itself, turning consumer routers and cameras into an invisible army. It plants itself in the soil of home networks until the soil is indistinguishable from the plant.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Defense Evasion

T1021.001

Remote Desktop Protocol

Lateral Movement

T1070.004

File Deletion

Defense Evasion

T1055

Process Injection

Defense Evasion

T1090

Proxy

Command and Control

T1133

External Remote Services

Persistence

Notable Operations

◆260,000-device SOHO botnet (FBI disruption 2024)
◆Taiwan government network intrusions
◆Living-off-the-land persistent access campaigns
◆Pre-positioning across Indo-Pacific critical infrastructure

Defenses

▸
SOHO device firmware updates and default credential replacement
CIS Control 4 ↗
▸
ISP botnet traffic blocking and null-routing known C2 infrastructure
NIST CSF: PR.PT ↗
▸
Network flow analysis to detect devices communicating with known Typhoon C2
NIST CSF: DE.CM ↗
▸
VPN and RDP access restricted to allowlisted IPs
CIS Control 6 ↗

Reversed: Their Weakness

The FBI's 2024 botnet disruption demonstrated that coordinated law enforcement action can dismantle even large-scale infrastructure operations. Consumer device replacement and ISP-level blocking cut off its reach.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Dusty Archivist Next →The Key Forger

Related Adversaries

The Patient Inheritor

Data sourced from MITRE ATT&CK. For educational purposes.