Detects Windows endpoint activity where Flax Typhoon actors use SoftEther VPN to masquerade as legitimate binaries. The rule flags SoftEther VPN binaries running under common legitimate process names (for example conhost.exe or dllhost.exe) or under vpnbridge*.exe OriginalFileName, indicating attempts to hide malicious activity. It correlates Sysmon EventID 1 process creation data with metadata such as Company and OriginalFileName, filtering for Company containing SoftEther or OriginalFileName matching vpnbridge*.exe. The search aggregates results by Computer, EventID, process, and user to compute first/last seen times, and surfaces an alert with context like process and parent process information, timestamps, and binary metadata. The detection relies on endpoint telemetry ingested via EDR agents and requires data mapped to the Endpoint Processes data model, normalized with the Splunk CIM. It is intended to identify Masquerading (MITRE T1036) and related technique activity (e.g., VPN/Protocol tunneling). False positives include legitimate SoftEther VPN usage; maintain an allowlist of approved VPN deployments to reduce noise. References include public reporting on Flax Typhoon abusing legitimate software to hide activity.