Cyber Resilience

Campaign · all campaigns

FLORAHOX ActivityC0053 state

🇨🇳 CN

aka FLORAHOX Activity

Last updated: 2026-07-03

0attributed CVEs
9ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[FLORAHOX Activity](https://attack.mitre.org/campaigns/C0053) is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace. The FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like [ZIRCONIUM](https://attack.mitre.org/groups/G0128). These adversaries conduct espionage campaigns through [FLORAHOX Activity](https://attack.mitre.org/campaigns/C0053), relying on the ORB network's ability to funnel traffic through [Tor](https://attack.mitre.org/software/S0183) nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.(Citation: ORB Mandiant)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
AC-35 / 956%
CM-65 / 956%
SI-105 / 956%
CA-74 / 944%
CM-74 / 944%
SI-34 / 944%
SI-44 / 944%
AC-23 / 933%
AC-43 / 933%
AC-63 / 933%
CM-23 / 933%
SC-73 / 933%
SI-73 / 933%
AC-172 / 922%
AC-52 / 922%

Co-occurring actors

None.

Similar actors

Same nation-state