Skip to content
All about technology.All about cybersecurity.

U.S. officials dismantle a Mirai-like botnet linked to distributed denial-of-service (DDoS) attacks threats.

FBI spearheads campaign to dismantle Chinese-connected botnet, following up on a previous operation against Volt Typhoon in January.

 and  Administrator
2 min read
Agents from American authorities dismantled a Mirai-related botnet, known for its role in...
Agents from American authorities dismantled a Mirai-related botnet, known for its role in distributed denial-of-service (DDoS) attacks.

U.S. officials dismantle a Mirai-like botnet linked to distributed denial-of-service (DDoS) attacks threats.

The Flax Typhoon botnet, also known as "Raptor Train," has been identified as a significant cyber threat targeting critical infrastructure worldwide. This botnet, with ties to advanced persistent threat (APT) groups believed to have state sponsorship, notably linked with Chinese cyber espionage efforts, has been the subject of multiple warnings from cybersecurity experts and U.S. authorities.

### History

First detected in May 2023, Flax Typhoon has a history of widespread infections across multiple countries. Detailed country-level infection statistics, including nearly half of the compromised devices being located in the U.S., have been made publicly available through the Shadowserver Foundation as of early July 2025, highlighting its global reach.

The Flax Typhoon campaign is associated with hacking groups that have long histories in offensive cyber operations, including collaboration with or ties to hack-for-hire groups previously known for high-impact worms. The campaign is also linked to other state-linked cyber espionage and sabotage operations, such as those attributed to groups like Salt Typhoon, which has targeted major telecommunications providers and global infrastructure assets.

### Connection to State-Linked Threat Groups

Evidence links Flax Typhoon to advanced persistent threat groups believed to have state sponsorship, notably Chinese cyber espionage efforts. Leaked data associates Flax Typhoon with Chinese government entities and research organizations such as the Institute of Information Engineering of the Chinese Academy of Sciences. The related Salt Typhoon APT group's leaked data revealed affiliations with PLA Unit 61419 ("Tick") and involvement in complex breach campaigns against US and global telecommunications, suggesting Flax Typhoon is part of a wider Chinese state-linked cyber threat ecosystem targeting critical infrastructure.

### Current Status and Malware Variants

As of mid-2025, Flax Typhoon-related infections continue to be monitored globally. The malware variants employed show sophistication, including credential theft, lateral movement techniques, and exploitation of trusted infrastructure such as Active Directory services. The threat remains critical to infrastructure security professionals due to the botnet’s capacity for espionage, sabotage, and potential disruption of essential services.

### Mitigation Measures

To mitigate the risks posed by Flax Typhoon and similar threats, users are urged to disable unused ports and services, replace equipment that has reached end-of-life status, apply patches and security upgrades, employ more complex passwords, and stay vigilant for potential exploitation attempts involving Ivanti Connect Secure appliances and Atlassian Confluence servers. The FBI will continue to work with its partners to identify and bring malicious activities out in the open.

This ongoing cyber threat underscores the importance of robust cybersecurity measures for critical infrastructure providers and highlights the need for continued collaboration between governments, private sector entities, and cybersecurity experts to combat these evolving threats. The FBI Director, Christopher Wray, stated that the operation against Flax Typhoon was just one round in a much longer fight against cyber threats from the Chinese government.

  1. Threat intelligence reports have linked the Flax Typhoon botnet, also known as "Raptor Train," to state-linked threat groups, with ties to Chinese cyber espionage efforts, posing a significant cyber threat to critical infrastructure.
  2. The malware variants employed by Flax Typhoon show sophistication, including credential theft, lateral movement techniques, and exploitation of trusted infrastructure such as Active Directory services, making it a critical threat to infrastructure security.
  3. In the face of evolving cyber threats like Flax Typhoon, it's essential to strengthen cybersecurity measures and collaborate with governments, private sector entities, and cybersecurity experts, as highlighted by FBI Director Christopher Wray. He noted that the operation against Flax Typhoon was just one round in a much longer fight against cyber threats from state-linked APT groups.

Read also:

    Related

    Latest