惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
Y
Y Combinator Blog
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
S
SegmentFault 最新的问题
IT之家
IT之家
Recent Announcements
Recent Announcements
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
Martin Fowler
Martin Fowler
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
WordPress大学
WordPress大学
博客园 - Franky
L
LangChain Blog
人人都是产品经理
人人都是产品经理
小众软件
小众软件
博客园 - 叶小钗
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
雷峰网
雷峰网
腾讯CDC
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Help Net Security
Help Net Security
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
博客园 - 聂微东
A
Arctic Wolf
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
C
Cyber Attacks, Cyber Crime and Cyber Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google DeepMind News
Google DeepMind News

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2025-11-20 · via Vectra AI Blog

Across the globe, a quiet but deliberate wave of cyber intrusions has emerged. These operations aren’t noisy ransomware campaigns or chaotic data leaks. They are calculated efforts designed for longevity. The actors behind them move strategically through the systems that power everyday life – telecom carriers, routers, energy grids, and government infrastructure – leaving behind almost no trace.

These threat groups, collectively named Typhoons, include Volt Typhoon, Flax Typhoon, and Salt Typhoon, all linked to Chinese state-sponsored activity. Each group operates with distinct goals, yet their tradecraft shares the same DNA: stealth, patience, and deep operational understanding. Rather than deploying custom malware, they repurpose trusted tools and blend into legitimate system activity.

From pre-positioning for disruption to covert telecom espionage, the Typhoons represent a shift toward attacks that succeed precisely because they go unnoticed.

The Typhoon Roster

Each Typhoon group plays a role in a broader strategy targeting global critical infrastructure. While their missions differ, their methods consistently prioritize invisibility and persistence.

Group Primary Target Region Focus Sectors Primary Goal Tactics Distinctive Traits
Volt Typhoon United States (Pacific) Utilities, telecom, transportation Pre-positioning for future disruption Living-off-the-land, network device abuse, no malware Uses compromised routers as proxies, focuses on Guam and US critical systems
Flax Typhoon Taiwan (and Asia-Pacific) Government, education, critical IT Long-term espionage and access persistence Minimal malware, credential theft, SoftEther VPN for remote access Creates RDP backdoors, hijacks IoT devices for lateral movement
Salt Typhoon Global (US, Asia, Europe) Telecom, ISP backbones Communications surveillance, counterintel Router compromise, rootkits, lateral movement using network tooling Accessed lawful intercept systems, deployed kernel-level implants

Tactics Without Tools: Living Off the Land

What makes the Typhoon operations so challenging to detect is not only their skill but their restraint. They rarely deploy new code. Instead, they use what’s already available inside the environment.

This “living off the land” approach relies on abusing legitimate administrative tools like PowerShell, WMIC, netsh, and Remote Desktop to perform malicious activity under the guise of normal operations. Because these tools are common in enterprise environments, abnormal behavior can easily disappear in the noise.

Volt Typhoon and Flax Typhoon rely heavily on this tactic to quietly harvest intelligence or establish long-term footholds. Salt Typhoon combines native tools with advanced stealth techniques, such as kernel-level implants, to maintain deeper access. The unifying goal: complete the mission while appearing ordinary.

Persistence Over Payloads

For the Typhoon groups, infiltration is only step one. Their real objective is to remain inside their targets for as long as possible, avoiding detection while building durable access. This isn’t about delivering traditional payloads. It’s about shaping the environment to ensure they never have to leave.

Flax Typhoon maintains remote access by installing legitimate VPN clients like SoftEther, blending in with normal traffic patterns. In some cases, they hijack Windows accessibility functions—such as the Sticky Keys shortcut—to silently create login backdoors that survive reboots and avoid endpoint monitoring.

Attack Anatomy of a Flax Typhoon Attack

Volt Typhoon relies on stolen credentials and native Windows utilities to move through networks undetected. They often set up covert tunnels using tools like netsh portproxy, allowing them to redirect internal traffic without triggering alerts or relying on external command-and-control infrastructure.

Attack Anatomy of a Volt Typhoon Attack

Salt Typhoon combines stealth with deep technical control. Beyond abusing routers and network gear to maintain access, they deploy rootkits that operate at the kernel level. They’ve been observed enabling dormant services, altering access controls, and manipulating device configurations to ensure multiple persistent paths into the network.

Attack Anatomy of a Salt Typhoon Attack

These actors don’t just hide within the network, they reshape it around themselves. Their persistence model forces defenders to monitor behaviors over time instead of searching for malware signatures.

Persistence Is the Payload

Whether Volt Typhoon is staging for disruption, Flax Typhoon is mapping Taiwanese infrastructure, or Salt Typhoon is intercepting communications across global backbones, the common thread is clear: malware is no longer the marker of compromise – behavior is. Each of these groups builds layered access, manipulates trust, and operates well below the threshold of traditional detection. They depend on defenders focusing on files, not actions.

This is where the Vectra AI Platform makes a critical difference. By analyzing behavior across cloud, network, and identity, Vectra detects the subtle patterns of command use, privilege escalation, and lateral movement that Typhoon actors rely on. The platform doesn’t look for malware, it identifies malicious intent, even when adversaries appear legitimate.

If your detection strategy is tuned only to find the obvious, these actors will succeed. To uncover the threats that don’t want to be found, you need constant visibility and AI-driven intelligence that learns as attackers adapt.

See how the Vectra AI Platform reveals the quietest threats before they become the biggest problems.