Across the globe, a quiet but deliberate wave of cyber intrusions has emerged. These operations aren’t noisy ransomware campaigns or chaotic data leaks. They are calculated efforts designed for longevity. The actors behind them move strategically through the systems that power everyday life – telecom carriers, routers, energy grids, and government infrastructure – leaving behind almost no trace.
These threat groups, collectively named Typhoons, include Volt Typhoon, Flax Typhoon, and Salt Typhoon, all linked to Chinese state-sponsored activity. Each group operates with distinct goals, yet their tradecraft shares the same DNA: stealth, patience, and deep operational understanding. Rather than deploying custom malware, they repurpose trusted tools and blend into legitimate system activity.
From pre-positioning for disruption to covert telecom espionage, the Typhoons represent a shift toward attacks that succeed precisely because they go unnoticed.
The Typhoon Roster
Each Typhoon group plays a role in a broader strategy targeting global critical infrastructure. While their missions differ, their methods consistently prioritize invisibility and persistence.
Tactics Without Tools: Living Off the Land
What makes the Typhoon operations so challenging to detect is not only their skill but their restraint. They rarely deploy new code. Instead, they use what’s already available inside the environment.
This “living off the land” approach relies on abusing legitimate administrative tools like PowerShell, WMIC, netsh, and Remote Desktop to perform malicious activity under the guise of normal operations. Because these tools are common in enterprise environments, abnormal behavior can easily disappear in the noise.
Volt Typhoon and Flax Typhoon rely heavily on this tactic to quietly harvest intelligence or establish long-term footholds. Salt Typhoon combines native tools with advanced stealth techniques, such as kernel-level implants, to maintain deeper access. The unifying goal: complete the mission while appearing ordinary.
Persistence Over Payloads
For the Typhoon groups, infiltration is only step one. Their real objective is to remain inside their targets for as long as possible, avoiding detection while building durable access. This isn’t about delivering traditional payloads. It’s about shaping the environment to ensure they never have to leave.
Flax Typhoon maintains remote access by installing legitimate VPN clients like SoftEther, blending in with normal traffic patterns. In some cases, they hijack Windows accessibility functions—such as the Sticky Keys shortcut—to silently create login backdoors that survive reboots and avoid endpoint monitoring.
Volt Typhoon relies on stolen credentials and native Windows utilities to move through networks undetected. They often set up covert tunnels using tools like netsh portproxy, allowing them to redirect internal traffic without triggering alerts or relying on external command-and-control infrastructure.
Salt Typhoon combines stealth with deep technical control. Beyond abusing routers and network gear to maintain access, they deploy rootkits that operate at the kernel level. They’ve been observed enabling dormant services, altering access controls, and manipulating device configurations to ensure multiple persistent paths into the network.
These actors don’t just hide within the network, they reshape it around themselves. Their persistence model forces defenders to monitor behaviors over time instead of searching for malware signatures.
Persistence Is the Payload
Whether Volt Typhoon is staging for disruption, Flax Typhoon is mapping Taiwanese infrastructure, or Salt Typhoon is intercepting communications across global backbones, the common thread is clear: malware is no longer the marker of compromise – behavior is. Each of these groups builds layered access, manipulates trust, and operates well below the threshold of traditional detection. They depend on defenders focusing on files, not actions.
This is where the Vectra AI Platform makes a critical difference. By analyzing behavior across cloud, network, and identity, Vectra detects the subtle patterns of command use, privilege escalation, and lateral movement that Typhoon actors rely on. The platform doesn’t look for malware, it identifies malicious intent, even when adversaries appear legitimate.
If your detection strategy is tuned only to find the obvious, these actors will succeed. To uncover the threats that don’t want to be found, you need constant visibility and AI-driven intelligence that learns as attackers adapt.
See how the Vectra AI Platform reveals the quietest threats before they become the biggest problems.