Introduction
Volt Typhoon is a Peopleโs Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoonโs targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials. CISA AA24-038A PRC Critical Infrastructure February 2024 Microsoft Volt Typhoon May 2023 Joint Cybersecurity Advisory Volt Typhoon June 2023 Secureworks BRONZE SILHOUETTE May 2023
Activities and Tactics
Country of Origin: ๐จ๐ณ China
Notable Campaigns
- Versa Director Zero Day Exploitation (C0039): Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploit
- KV Botnet Activity (C0035): KV Botnet Activity consisted of exploitation of primarily โend-of-lifeโ small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster
Tactics, Techniques, and Procedures (TTPs)
- T1046 Network Service Discovery
- T1083 File and Directory Discovery
- T1591.004 Identify Roles
- T1057 Process Discovery
- T1021.001 Remote Desktop Protocol
- T1584.004 Server
- T1090 Proxy
- T1518 Software Discovery
- T1078 Valid Accounts
- T1584.008 Network Devices
- T1056.001 Keylogging
- T1036.005 Match Legitimate Resource Name or Location
- T1036.008 Masquerade File Type
- T1059.003 Windows Command Shell
- T1190 Exploit Public-Facing Application
- T1555 Credentials from Password Stores
- T1074 Data Staged
- T1590 Gather Victim Network Information
- T1560.001 Archive via Utility
- T1124 System Time Discovery
- T1069.002 Domain Groups
- T1016 System Network Configuration Discovery
- T1018 Remote System Discovery
- T1047 Windows Management Instrumentation
- T1133 External Remote Services
- T1140 Deobfuscate/Decode Files or Information
- T1570 Lateral Tool Transfer
- T1593 Search Open Websites/Domains
- T1680 Local Storage Discovery
- T1589.002 Email Addresses
- T1497.001 System Checks
- T1003.003 NTDS
- T1027.002 Software Packing
- T1573.001 Symmetric Cryptography
- T1003.001 LSASS Memory
- T1685.005 Clear Windows Event Logs
- T1584.005 Botnet
- T1592 Gather Victim Host Information
- T1049 System Network Connections Discovery
- T1087.001 Local Account
- T1217 Browser Information Discovery
- T1059.001 PowerShell
- T1654 Log Enumeration
- T1068 Exploitation for Privilege Escalation
- T1113 Screen Capture
- T1090.001 Internal Proxy
- T1587.004 Exploits
- T1090.003 Multi-hop Proxy
- T1594 Search Victim-Owned Websites
- T1033 System Owner/User Discovery
- T1112 Modify Registry
- T1505.003 Web Shell
- T1218 System Binary Proxy Execution
- T1059.004 Unix Shell
- T1007 System Service Discovery
- T1069 Permission Groups Discovery
- T1584.003 Virtual Private Server
- T1555.003 Credentials from Web Browsers
- T1591 Gather Victim Org Information
- T1590.004 Network Topology
- T1010 Application Window Discovery
- T1069.001 Local Groups
- T1120 Peripheral Device Discovery
- T1070.004 File Deletion
- T1588.006 Vulnerabilities
- T1105 Ingress Tool Transfer
- T1552 Unsecured Credentials
- T1078.002 Domain Accounts
- T1005 Data from Local System
- T1006 Direct Volume Access
- T1012 Query Registry
- T1589 Gather Victim Identity Information
- T1588.002 Tool
- T1596.005 Scan Databases
- T1087.002 Domain Account
- T1614 System Location Discovery
- T1070.007 Clear Network Connection History and Configurations
- T1016.001 Internet Connection Discovery
- T1552.004 Private Keys
- T1074.001 Local Data Staging
- T1590.006 Network Security Appliances
ATT&CK technique IDs (denormalized)
- T1003.001
- T1003.003
- T1005
- T1006
- T1007
- T1010
- T1012
- T1016
- T1016.001
- T1018
- T1021.001
- T1027.002
- T1033
- T1036.005
- T1036.008
- T1046
- T1047
- T1049
- T1056.001
- T1057
- T1059.001
- T1059.003
- T1059.004
- T1068
- T1069
- T1069.001
- T1069.002
- T1070.004
- T1070.007
- T1074
- T1074.001
- T1078
- T1078.002
- T1083
- T1087.001
- T1087.002
- T1090
- T1090.001
- T1090.003
- T1105
- T1112
- T1113
- T1120
- T1124
- T1133
- T1140
- T1190
- T1217
- T1218
- T1497.001
- T1505.003
- T1518
- T1552
- T1552.004
- T1555
- T1555.003
- T1560.001
- T1570
- T1573.001
- T1584.003
- T1584.004
- T1584.005
- T1584.008
- T1587.004
- T1588.002
- T1588.006
- T1589
- T1589.002
- T1590
- T1590.004
- T1590.006
- T1591
- T1591.004
- T1592
- T1593
- T1594
- T1596.005
- T1614
- T1654
- T1680
- T1685.005
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- China Chopper
- UNITEDRAKE
- Mimikatz:
- ProcDump:
- Nbtscan:
- SparrowDoor:
- KV-Botnet:
- KV:
- JDY:
MITRE ATT&CK Software
- netsh (S0108) โ tool
- PsExec (S0029) โ tool
- ipconfig (S0100) โ tool
- Wevtutil (S0645) โ tool
- VersaMem (S1154) โ malware
- Tasklist (S0057) โ tool
- Mimikatz (S0002) โ tool
- Ping (S0097) โ tool
- Impacket (S0357) โ tool
- Systeminfo (S0096) โ tool
- netstat (S0104) โ tool
- Nltest (S0359) โ tool
- certutil (S0160) โ tool
- Reg (S0075) โ tool
- FRP (S1144) โ tool
- cmd (S0106) โ tool
- Net (S0039) โ tool
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] Cloudflare 2026 Threat Report New Threat Actors March 2026 Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026. [10] CISA AA24-038A PRC Critical Infrastructure February 2024 CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. [11] Secureworks BRONZE SILHOUETTE May 2023 Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. [12] Dragos 2025 Year in Review Dragos. (2026, February). 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT . Retrieved April 26, 2026. [13] Microsoft Volt Typhoon May 2023 Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. [14] Joint Cybersecurity Advisory Volt Typhoon June 2023 NSA et al. (2023, May 24). Peopleโs Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. [15] DOJ KVBotnet 2024 US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet Peopleโs Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.