HIGHMalware
Verified
Global

Flax Typhoon IoT Botnet Resurfaces with 300,000 Compromised Devices

·Source: Lumen Black Lotus Labs / FBI

Updated:

Executive Summary

Despite FBI disruption in 2024, Flax Typhoon has rebuilt its IoT botnet to over 300,000 compromised routers, cameras, and NAS devices worldwide.

Analysis

Flax Typhoon rebuilt its botnet using vulnerabilities in SOHO routers, IP cameras, and NAS devices. The botnet serves as a proxy network for other Chinese intelligence operations, providing anonymization and relay capabilities. Lumen Black Lotus Labs identified the rebuilt infrastructure spanning 72 countries. FBI is coordinating with international partners for another disruption attempt.

Timeline

Discovered
Feb 15, 2026
Exploitation Detected
Feb 15, 2026
Published
Mar 12, 2026
Source Attribution

Originally published by Lumen Black Lotus Labs / FBI on Mar 12, 2026. Verified by: FBI, Lumen, CISA.

Related Threats

MEDIUMMalware

Legacy Microsoft Utility Fuels New Wave of Malware

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/legacy-microsoft-utility-fuels-new-wave-malware-image_small-8-a-31716.jpg" align=right hspace=4><b>Researchers Link MSHTA Windows Utility to Lumma Stealer, ClickFix Campaigns</b><br>Cybercriminals continue abusing Microsoft’s legacy MSHTA utility to deliver malware, with researchers saying that the default-enabled Windows componen

Bank Info Security
MEDIUMMalware

Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks

Attackers are increasingly abusing Microsoft’s decades-old MSHTA utility to stealthily deliver stealers, loaders, and persistent malware through phishing, fake software downloads, and LOLBIN-based attack chains. The post Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks appeared first on SecurityWeek .

SecurityWeek
MEDIUMMalware

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-speaking cyber crime groups operating under a malware-as-a-service (MaaS) model for continuous monetization.

Cisco Talos