Flax Typhoon

Also known as: Ethereal Panda, RedJuliett

Overview

Chinese state-sponsored group operating a massive IoT botnet of compromised routers and cameras for espionage proxy networks. Targets Taiwan, Southeast Asia, and US entities.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

3 of 14 tactics observed

Raw TTPs

IoT Botnet OperationsVPN ExploitationWeb Shell DeploymentProxy NetworksSOHO Device Exploitation

Related Intelligence (1)

HIGHMalwareExploited

Flax Typhoon IoT Botnet Resurfaces with 300,000 Compromised Devices

Despite FBI disruption in 2024, Flax Typhoon has rebuilt its IoT botnet to over 300,000 compromised routers, cameras, and NAS devices worldwide.

SOHO Routers

Mar 12, 2026Lumen Black Lotus Labs / FBI