Campaign · all campaigns
FLORAHOX ActivityC0053 state
🇨🇳 CN
aka FLORAHOX Activity
Last updated: 2026-07-03
About this actor
[FLORAHOX Activity](https://attack.mitre.org/campaigns/C0053) is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace. The FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like [ZIRCONIUM](https://attack.mitre.org/groups/G0128). These adversaries conduct espionage campaigns through [FLORAHOX Activity](https://attack.mitre.org/campaigns/C0053), relying on the ORB network's ability to funnel traffic through [Tor](https://attack.mitre.org/software/S0183) nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.(Citation: ORB Mandiant)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
AC-3 | 5 / 9 | 56% |
CM-6 | 5 / 9 | 56% |
SI-10 | 5 / 9 | 56% |
CA-7 | 4 / 9 | 44% |
CM-7 | 4 / 9 | 44% |
SI-3 | 4 / 9 | 44% |
SI-4 | 4 / 9 | 44% |
AC-2 | 3 / 9 | 33% |
AC-4 | 3 / 9 | 33% |
AC-6 | 3 / 9 | 33% |
CM-2 | 3 / 9 | 33% |
SC-7 | 3 / 9 | 33% |
SI-7 | 3 / 9 | 33% |
AC-17 | 2 / 9 | 22% |
AC-5 | 2 / 9 | 22% |
Co-occurring actors
None.
Similar actors
Similar TTPs
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00