惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
美团技术团队
NISL@THU
NISL@THU
C
Cisco Blogs
SecWiki News
SecWiki News
N
Netflix TechBlog - Medium
Forbes - Security
Forbes - Security
Cloudbric
Cloudbric
雷峰网
雷峰网
T
Tailwind CSS Blog
博客园 - 司徒正美
The Register - Security
The Register - Security
L
LangChain Blog
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Threat Research - Cisco Blogs
I
InfoQ
S
Schneier on Security
L
Lohrmann on Cybersecurity
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Martin Fowler
Martin Fowler
Schneier on Security
Schneier on Security
F
Fortinet All Blogs
TaoSecurity Blog
TaoSecurity Blog
K
Kaspersky official blog
Google DeepMind News
Google DeepMind News
Cisco Talos Blog
Cisco Talos Blog
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
WordPress大学
WordPress大学
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
Project Zero
Project Zero
The GitHub Blog
The GitHub Blog
D
Docker
N
News | PayPal Newsroom
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Hacker News: Front Page
云风的 BLOG
云风的 BLOG
Microsoft Security Blog
Microsoft Security Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 聂微东
Webroot Blog
Webroot Blog
MongoDB | Blog
MongoDB | Blog

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2025-11-20 · via Vectra AI Blog

Across the globe, a quiet but deliberate wave of cyber intrusions has emerged. These operations aren’t noisy ransomware campaigns or chaotic data leaks. They are calculated efforts designed for longevity. The actors behind them move strategically through the systems that power everyday life – telecom carriers, routers, energy grids, and government infrastructure – leaving behind almost no trace.

These threat groups, collectively named Typhoons, include Volt Typhoon, Flax Typhoon, and Salt Typhoon, all linked to Chinese state-sponsored activity. Each group operates with distinct goals, yet their tradecraft shares the same DNA: stealth, patience, and deep operational understanding. Rather than deploying custom malware, they repurpose trusted tools and blend into legitimate system activity.

From pre-positioning for disruption to covert telecom espionage, the Typhoons represent a shift toward attacks that succeed precisely because they go unnoticed.

The Typhoon Roster

Each Typhoon group plays a role in a broader strategy targeting global critical infrastructure. While their missions differ, their methods consistently prioritize invisibility and persistence.

Group Primary Target Region Focus Sectors Primary Goal Tactics Distinctive Traits
Volt Typhoon United States (Pacific) Utilities, telecom, transportation Pre-positioning for future disruption Living-off-the-land, network device abuse, no malware Uses compromised routers as proxies, focuses on Guam and US critical systems
Flax Typhoon Taiwan (and Asia-Pacific) Government, education, critical IT Long-term espionage and access persistence Minimal malware, credential theft, SoftEther VPN for remote access Creates RDP backdoors, hijacks IoT devices for lateral movement
Salt Typhoon Global (US, Asia, Europe) Telecom, ISP backbones Communications surveillance, counterintel Router compromise, rootkits, lateral movement using network tooling Accessed lawful intercept systems, deployed kernel-level implants

Tactics Without Tools: Living Off the Land

What makes the Typhoon operations so challenging to detect is not only their skill but their restraint. They rarely deploy new code. Instead, they use what’s already available inside the environment.

This “living off the land” approach relies on abusing legitimate administrative tools like PowerShell, WMIC, netsh, and Remote Desktop to perform malicious activity under the guise of normal operations. Because these tools are common in enterprise environments, abnormal behavior can easily disappear in the noise.

Volt Typhoon and Flax Typhoon rely heavily on this tactic to quietly harvest intelligence or establish long-term footholds. Salt Typhoon combines native tools with advanced stealth techniques, such as kernel-level implants, to maintain deeper access. The unifying goal: complete the mission while appearing ordinary.

Persistence Over Payloads

For the Typhoon groups, infiltration is only step one. Their real objective is to remain inside their targets for as long as possible, avoiding detection while building durable access. This isn’t about delivering traditional payloads. It’s about shaping the environment to ensure they never have to leave.

Flax Typhoon maintains remote access by installing legitimate VPN clients like SoftEther, blending in with normal traffic patterns. In some cases, they hijack Windows accessibility functions—such as the Sticky Keys shortcut—to silently create login backdoors that survive reboots and avoid endpoint monitoring.

Attack Anatomy of a Flax Typhoon Attack

Volt Typhoon relies on stolen credentials and native Windows utilities to move through networks undetected. They often set up covert tunnels using tools like netsh portproxy, allowing them to redirect internal traffic without triggering alerts or relying on external command-and-control infrastructure.

Attack Anatomy of a Volt Typhoon Attack

Salt Typhoon combines stealth with deep technical control. Beyond abusing routers and network gear to maintain access, they deploy rootkits that operate at the kernel level. They’ve been observed enabling dormant services, altering access controls, and manipulating device configurations to ensure multiple persistent paths into the network.

Attack Anatomy of a Salt Typhoon Attack

These actors don’t just hide within the network, they reshape it around themselves. Their persistence model forces defenders to monitor behaviors over time instead of searching for malware signatures.

Persistence Is the Payload

Whether Volt Typhoon is staging for disruption, Flax Typhoon is mapping Taiwanese infrastructure, or Salt Typhoon is intercepting communications across global backbones, the common thread is clear: malware is no longer the marker of compromise – behavior is. Each of these groups builds layered access, manipulates trust, and operates well below the threshold of traditional detection. They depend on defenders focusing on files, not actions.

This is where the Vectra AI Platform makes a critical difference. By analyzing behavior across cloud, network, and identity, Vectra detects the subtle patterns of command use, privilege escalation, and lateral movement that Typhoon actors rely on. The platform doesn’t look for malware, it identifies malicious intent, even when adversaries appear legitimate.

If your detection strategy is tuned only to find the obvious, these actors will succeed. To uncover the threats that don’t want to be found, you need constant visibility and AI-driven intelligence that learns as attackers adapt.

See how the Vectra AI Platform reveals the quietest threats before they become the biggest problems.