HIGHMalware
Verified
Global

Flax Typhoon IoT Botnet Resurfaces with 300,000 Compromised Devices

Thursday, March 12, 2026 at 02:00 PM UTC·Source: Lumen Black Lotus Labs / FBI

Updated: Friday, March 13, 2026 at 09:00 AM UTC

Executive Summary

Despite FBI disruption in 2024, Flax Typhoon has rebuilt its IoT botnet to over 300,000 compromised routers, cameras, and NAS devices worldwide.

Analysis

Flax Typhoon rebuilt its botnet using vulnerabilities in SOHO routers, IP cameras, and NAS devices. The botnet serves as a proxy network for other Chinese intelligence operations, providing anonymization and relay capabilities. Lumen Black Lotus Labs identified the rebuilt infrastructure spanning 72 countries. FBI is coordinating with international partners for another disruption attempt.

Timeline

Discovered
Feb 15, 2026
Exploitation Detected
Feb 15, 2026
Published
Mar 12, 2026
Source Attribution

Originally published by Lumen Black Lotus Labs / FBI on Mar 12, 2026. Verified by: FBI, Lumen, CISA.

Related Threats

MEDIUMMalware

Claude Code leak used to push infostealer malware on GitHub

Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware. [...]

BleepingComputer
MEDIUMMalware

Bank Trojan 'Casbaneiro' Worms Through Latin America

Augmented Marauder's multipronged banking-Trojan cyber campaigns are targeting Spanish speakers, evading detection, and replicating rapidly.

Dark Reading
MEDIUMMalware

GitHub Used as Covert Channel in Multi-Stage Malware Campaign

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

Infosecurity Magazine