Executive Summary
Flax Typhoon, a China-aligned cyber-espionage group, quietly expanded its operations in Taiwan in 2025. It now targets the healthcare sector as part of a wider campaign against civilian infrastructure. The group has compromised public-facing hospital servers and deployed webshells. It has also maintained long-term access using SoftEther VPN and proxy tools across multiple institutions.
Taiwanese cyber authorities are aware of some intrusions. However, only limited details are public. These attacks indicate a strategic effort to penetrate systems that hold personal medical and operational data. Healthcare networks store sensitive and commercially valuable information. This includes patient records, operational capacity details, and sometimes data linked to biotech activities.
So far, there is no public evidence of disruptive action. Still, the quiet and persistent presence suggests that Flax Typhoon is mapping Taiwan’s resilience. The group may be preparing for future coercive or strategic operations during a crisis.
Key Judgments
KJ-1. Taiwan likely started mitigation efforts after discovering Flax Typhoon’s penetration of healthcare networks. Yet, the effectiveness of those efforts is unknown and risks likely remain.
- The 2025 APT Activity Report from cybersecurity company ESET reported in April 2025 that Flax Typhoon “targeted the healthcare sector in Taiwan, exploiting public facing web servers and deploying webshells.” [source]
- The same ESET report confirmed continued use of SoftEther VPN infrastructure and deployment of an open-source proxy (BUUT), indicating the establishment of stable, covert back-channels for long-term access. [source, source]
- According to Microsoft Threat Intelligence, Flax Typhoon confirms that since mid-2021, it has relied on minimal bespoke malware, instead using “living-off-the-land” binaries, legitimate third-party software, web shells (e.g., China Chopper), and SoftEther VPN to maintain long-term access post-compromise. [source, source, source]
- U.S. and Canadian government threat assessments warn that such quiet access could allow rapid deployment of disruptive tools in a future conflict or invasion.. [source, source, source, source, source, source]
KJ-2. The cyber actors also targeted other civilian sectors in Taiwan, affecting infrastructure more broadly and likely complicating efforts by Taipei to contain the threat.
- ESET and other cyber reports show that manufacturing, IT, and education sectors were also targeted in 2025. [source, source, source, source]
- Independent studies note that the same actor — also tracked as RedJuliett or UAT-5918 — has repeatedly attacked healthcare, telecoms, IT services, and universities in Taiwan. [source, source, source, source, source, source, source]
- ESET attribution data lists Flax Typhoon campaigns across healthcare, technology, education. This suggests that the aim is to gain insight into Taiwan’s wider civil systems.. [source, source, source, source]
- This cross-sector access allows correlation of data, as attackers can link medical details, academic affiliations, and infrastructure data, which increases the intelligence value. [source, source, source]
KJ-3. Stealthy tradecraft and long-term access suggest that Flax Typhoon is positioning itself for future options, including action during a major crisis.
- Microsoft’s analysis describes the group using minimal malware and legitimate software tools, which reduces detection risk and supports prolonged undetected access. [source, source]
- The use of webshells, SoftEther VPN, benign system utilities and proxy tools matches the profile of “quiet intrusion” campaigns aimed at persistence and credential harvesting rather than rapid disruption. [source, source]
- Cisco Talos reports that a related actor (UAT-5918) has a long pattern of targeting Taiwan’s critical infrastructure. This suggests a broader and long-term structural campaign. [source, source, source, source, source]
- Attack targeting spans hospitals, universities, technology companies, and civilian agencies is consistent with a “whole-of-society” strategy, not just simple data-theft, criminal ransomware operation, or sabotage operation. [source, source, source]
- There is no public reporting of destructive outcomes linked to healthcare-sector breaches. This supports the view that the goal is access and intelligence preparation. [source, source, source]
- Persistent back-channels give the group the potential to deploy disruptive or destructive tools quickly in the future, such as during a cross-strait conflict or other major crisis. [source, source, source, source, source, source]
Statement on Analysis
We have moderate-to-high confidence in these key judgments. They are based on consistent reporting from respected cybersecurity organisations. The convergence of evidence, especially related to exploit chains and persistence methods, supports a reliable analytical picture. Attribution to Flax Typhoon is strong and has been repeated across independent sources.
However, important gaps remain. For example, we do not know the depth of access in each institution. We also lack information on the volume of data at risk and the speed of Taiwan’s remediation. Public sources do not show destructive actions or large-scale data theft. Therefore, there remains uncertainty regarding the true intent and potential future impact of this campaign.