Volt Typhoon

Also known as: VANGUARD PANDA, Bronze Silhouette, DEV-0391, Insidious Taurus, UNC3236, Redfly, Storm-0391, VOLTZITE

ActiveNation-StateChinaMITRE G1017

0Campaigns

73Techniques

4IOCs

21Tools

0Matches

3Infrastructure

Overview

Volt Typhoon is a Chinese state-sponsored threat actor focused on pre-positioning for potential disruptive or destructive operations against U.S. critical infrastructure. First publicly disclosed by Microsoft in May 2023, the group has been active since at least mid-2021 and represents a significant shift in Chinese cyber operations from traditional espionage to operational preparation of the environment (OPE). The group is characterized by its exclusive use of living-off-the-land (LOTL) techniques, avoiding custom malware in favor of built-in Windows tools, legitimate network administration utilities, and compromised SOHO routers as operational relay boxes (ORBs). This approach makes detection exceptionally difficult as the activity blends with normal administrative operations. Volt Typhoon has compromised organizations across communications, energy, transportation, and water/wastewater sectors. U.S. intelligence agencies assess that the group's operations are designed to maintain persistent access to critical infrastructure networks that could be leveraged for disruptive attacks during a potential Taiwan Strait crisis.

Motivations

Pre-positioningCritical Infrastructure AccessStrategic Deterrence

Target Sectors

Critical InfrastructureCommunicationsEnergyWater/WastewaterTransportationGovernmentDefense Industrial BaseMaritimeOil and GasManufacturingConstructionEducationInformation TechnologyTelecommunicationsAviationWater and Wastewater SystemsTransportation SystemsSingaporeAustralia

Activity Timeline

First Seen

Jan 2021

Last Seen

Jan 2024

Quick Facts

OriginChina

Sophisticationnation-state

StatusActive

MITRE GroupG1017

MITRE ATT&CK Techniques

(73)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1059

Command and Scripting Interpreter

Abuse command-line interpreters and scripting languages to execute commands.

Other

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Discovery

T1046

Network Service Discovery

Scan for services running on remote hosts across the network.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1071

Application Layer Protocol

Communicate using application layer protocols like HTTP, DNS, or SMTP.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Impact

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Resource Development

T1583

Acquire Infrastructure

Purchase or rent infrastructure such as servers, domains, or cloud services for operations.

OtherLegitimate

Open-source reverse proxy tool used to establish C2 channels

WMI

OtherLegitimate

Windows Management Instrumentation used for system management and lateral movement

Indicators of Compromise

(4)

IOC values are defanged for safety

Type	Value	Notes
ip	`104[.]161[.]54[.]203`	Compromised SOHO router used as relay infrastructure
ip	`185[.]106[.]92[.]12`	Operational relay box (ORB) infrastructure
domain	`gosloede[.]com`	C2 domain identified in critical infrastructure targeting
hash	`baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c`	Modified FRP binary used for tunneling (SHA-256)

Infrastructure

(3)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`104[.]161[.]54[.]203` Compromised SOHO router used as relay infrastructure	ip	offline	Apr 2, 2026
`185[.]106[.]92[.]12` Operational relay box (ORB) infrastructure	ip	offline	Apr 2, 2026
`gosloede[.]com` C2 domain identified in critical infrastructure targeting	c2	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(27)

Microsoft - Volt Typhoon targets US critical infrastructure

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

CISA - PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

CrowdStrike - VANGUARD PANDA

https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/

Dragos 2026 OT/ICS Cybersecurity Year in Review - VOLTZITE Elevated to Stage 2

https://www.dragos.com/resources/press-release/dragos-2026-year-in-review-new-ot-threats-ransomware

Volt Typhoon Maintained Access to Massachusetts Utility for 10 Months - The Record

https://therecord.media/volt-typhoon-hackers-utility-months

Microsoft Threat Intelligence - Volt Typhoon Targets US Critical Infrastructure

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques

Dragos: Researchers Warn Volt Typhoon Still Embedded in US Utilities - The Record

https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure

CISA Cybersecurity Advisory - PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

NSA/FBI Joint Cybersecurity Advisory - People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Secureworks - Bronze Silhouette Targets US Critical Infrastructure

https://www.secureworks.com/research/bronze-silhouette-targets-us-critical-infrastructure

Volt Typhoon - MITRE ATT&CK Group Profile

https://attack.mitre.org/groups/G1017/

Volt Typhoon: Analyzing Windows Proxy Logon Attack Targeting Hybrid Identity

https://www.sentinelone.com/labs/volt-typhoon-analyzing-windows-proxy-logon-attack-targeting-hybrid-identity/

Assessing Volt Typhoon's Capabilities and Operations

https://www.secureworks.com/blog/assessing-volt-typhoons-capabilities-and-operations

NCSC-NL Advisory: Volt Typhoon

https://www.ncsc.nl/actueel/advisory?id=NCSC-2024-0038

FBI and Partners Issue Advisory on Volt Typhoon Activity

https://www.fbi.gov/news/press-releases/fbi-and-partners-issue-advisory-on-volt-typhoon-activity

Secureworks: Volt Typhoon Exploits Zero-Day Vulnerability

https://www.secureworks.com/blog/volt-typhoon-exploits-zero-day-vulnerability

BlackLotus campaign: Analyzing the technical tactics of Volt Typhoon

https://www.secureworks.com/research/bronze-silhouette

Assessing the Tradecraft and Impact of the Volt Typhoon Intrusions

https://www.mandiant.com/resources/blog/volt-typhoon-tradecraft-us-critical-infrastructure

Singapore Names UNC3886 APT Targeting Critical Infrastructure - July 2025

https://en.wikipedia.org/wiki/Volt_Typhoon

Australia Warns of Volt Typhoon Infrastructure Targeting - November 2025

https://en.wikipedia.org/wiki/Volt_Typhoon

FBI KV Botnet Disruption - January 2024

https://therecord.media/china-run-botnet-takedown-fbi-doj-routers

Volt Typhoon Rebuilds KV Botnet After FBI Takedown - November 2024

https://www.bleepingcomputer.com/news/security/volt-typhoon-rebuilds-malware-botnet-following-fbi-disruption

NSA/FBI Joint Cybersecurity Advisory on Volt Typhoon

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/joint_csa_protecting_against_prc_state_sponsored_cyber_activity.pdf

Black Lotus Labs: Volt Typhoon RCE Exploit Infrastructure Analysis

https://blog.lumen.com/volt-typhoon-rce-exploit-infrastructure/

Secureworks: Volt Typhoon Targets Critical Infrastructure

https://www.secureworks.com/blog/volt-typhoon-targets-critical-infrastructure

FBI Director Wray testimony on Volt Typhoon targeting critical infrastructure

https://www.fbi.gov/news/speeches/countering-threats-posed-by-the-chinese-government-inside-the-us-wray-013124

Secureworks: VOLTZITE Threat Profile

https://www.secureworks.com/research/threat-profiles/bronze-silhouette