C0053: FLORAHOX Activity
FLORAHOX Activity is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace.
The FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like ZIRCONIUM. These adversaries conduct espionage campaigns through FLORAHOX Activity, relying on the ORB network's ability to funnel traffic through Tor nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.[1]
Analyst context for executives and security teams
FLORAHOX Activity matters because it describes adversary use of a hybrid relay infrastructure made from compromised routers/IoT devices, leased VPS infrastructure, and Tor to hide where malicious traffic is really coming from. For leaders, the decision point is not just “block bad IPs”; this behavior makes IP-based attribution and static deny lists less reliable, increasing the need for resilient logging, internet-facing asset governance, and incident response processes that can work with uncertain source infrastructure.
Executive priority
Treat this as a resilience and investigation-readiness issue. The ATT&CK context links FLORAHOX Activity to espionage use by multiple threat actors, including China-nexus actors such as ZIRCONIUM, but the supplied object does not establish current targeting of any specific organization. Security leaders should ask whether public-facing applications, network devices, and cloud/VPS-origin traffic are monitored well enough to distinguish normal business access from proxy-obfuscated activity, and whether incident teams can preserve evidence beyond source IP reputation.
Technical view
SOC and IR teams should validate coverage around the related behaviors: exploitation of public-facing applications, command and scripting interpreter activity including Unix shell use, multi-hop proxy command-and-control, adversary-leased VPS infrastructure, compromised network devices, and Tor. Because the campaign object has no ATT&CK detection text and no campaign-level platforms, detections should be built from local exposure and relationship context rather than assuming one platform scope. Prioritize correlation between internet-facing service events, shell/process execution on exposed systems where available, unusual inbound or outbound connections through anonymization/proxy infrastructure, and network-device management or traffic anomalies.
Likely telemetry
- Firewall, secure web gateway, proxy, DNS, and NetFlow records showing inbound and outbound connections to Tor, VPS, or relay-like infrastructure
- Web server, application, WAF, and load balancer logs for public-facing applications
- EDR, process, command-line, and shell history telemetry on Linux, macOS, ESXi, or other systems where Unix shell activity is relevant
- Network device logs, management-plane access records, configuration change logs, and firmware/version inventory for routers and IoT devices
- Cloud and IaaS flow logs or access logs where externally hosted services or VPS-origin traffic interact with enterprise assets
Detection direction
- Do not rely solely on source IP reputation; multi-hop proxy and ORB infrastructure can make the visible last hop misleading.
- Correlate public-facing exploitation signals with follow-on command or shell execution and unusual outbound network paths.
- Tune Tor and VPS detections carefully because both can have legitimate business, research, privacy, or third-party service use cases.
- Validate whether network devices and IoT assets produce usable logs; these are common blind spots when compromised infrastructure is used as relay infrastructure.
- Use time-based and behavior-based clustering around sessions, user agents, request patterns, authentication attempts, and command execution rather than treating each IP as an isolated indicator.
Mitigation priorities
- Maintain a current inventory of internet-facing applications, routers, IoT devices, and network management interfaces.
- Prioritize remediation or replacement of end-of-life routers and IoT devices, especially where externally reachable or poorly monitored.
- Harden and patch public-facing applications and restrict exposed management protocols to approved administrative paths.
- Define policy and monitoring expectations for Tor and anonymization services, balancing business exceptions with investigation needs.
- Ensure incident response playbooks preserve application, network, DNS, proxy, and endpoint evidence so investigations are not blocked when source infrastructure is proxied or rapidly changing.
Analyst notes and limits
The most important defensive lesson is that FLORAHOX Activity raises the cost of tracing and blocking malicious traffic. For Glexia-style readiness assessments, this object is useful for testing whether a security program can investigate behavior when source IPs are unreliable, whether network devices are governed as security-relevant assets, and whether public-facing application telemetry connects cleanly to endpoint and network evidence.
The official ATT&CK object does not provide detection guidance, campaign-level tactics, or campaign-level platforms. The technical direction above is derived only from the supplied description, external reference summary, and listed relationships to Tor, public-facing application exploitation, command and scripting interpreters, Unix shell, multi-hop proxy, VPS use, and compromised network devices. Local environment data is required to determine actual exposure, priority, and detection coverage.
FLORAHOX Activity
FLORAHOX Activity is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace.
The FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like ZIRCONIUM. These adversaries conduct espionage campaigns through FLORAHOX Activity, relying on the ORB network's ability to funnel traffic through Tor nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1584.008 | Network Devices Sub-technique | FLORAHOX Activity has compromised network routers and IoT devices for the ORB network.CitationORB Mandiant |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | FLORAHOX Activity has used acquired Virtual Private Servers as control systems for the ORB network.CitationORB Mandiant |
| Enterprise | T1059.004 | Unix Shell Sub-technique | FLORAHOX Activity has executed multiple Bash controller scripts to provide command line inputs for FLORAHOX traversal configurations.CitationORB Mandiant |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | FLORAHOX Activity has routed traffic through a customized Tor relay network layer.CitationORB Mandiant |
| Enterprise | T1059 | Command and Scripting Interpreter | FLORAHOX Activity has executed PHP and Shell scripts to identify and infect subsequent routers for the ORB network.CitationORB Mandiant |
| Enterprise | T1190 | Exploit Public-Facing Application | FLORAHOX Activity has exploited and infected vulnerable routers to recruit additional network devices into the ORB.CitationORB Mandiant |
Groups, software, and campaigns
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5bf5c95be43a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ORB Mandiant
Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
Open source URL -
[2]
mitre-attack C0053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.