1. Home
  2. Campaigns
  3. FLORAHOX Activity

FLORAHOX Activity

FLORAHOX Activity is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace.

The FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like ZIRCONIUM. These adversaries conduct espionage campaigns through FLORAHOX Activity, relying on the ORB network's ability to funnel traffic through Tor nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.[1]

ID: C0053
First Seen:  January 2019 [1]
Last Seen:  May 2024 [1]
Version: 1.0
Created: 25 March 2025
Last Modified: 27 March 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

FLORAHOX Activity has used acquired Virtual Private Servers as control systems for the ORB network.[1]
Enterprise T1059 Command and Scripting Interpreter

FLORAHOX Activity has executed PHP and Shell scripts to identify and infect subsequent routers for the ORB network.[1]
.004 Unix Shell

FLORAHOX Activity has executed multiple Bash controller scripts to provide command line inputs for FLORAHOX traversal configurations.[1]
Enterprise T1584 .008 Compromise Infrastructure: Network Devices

FLORAHOX Activity has compromised network routers and IoT devices for the ORB network.[1]
Enterprise T1190 Exploit Public-Facing Application

FLORAHOX Activity has exploited and infected vulnerable routers to recruit additional network devices into the ORB.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

FLORAHOX Activity has routed traffic through a customized Tor relay network layer.[1]

Software

ID Name Description
S0183 Tor

FLORAHOX Activity has routed traffic through a customized Tor relay network layer.[1]

References

  1. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.