🇨🇳

Volt Typhoon

APT Group Information theft and espionage 38 zero-day CVEs ETDA ✓

Also Known As 7 names

BRONZE SILHOUETTE Dev-0391 Insidious Taurus Storm-0391 UNC3236 VANGUARD PANDA VOLTZITE

Target Countries 16

Countries highlighted in red

United Arab Emirates Australia Belgium Canada China United Kingdom India Italy Japan Malaysia Nigeria Netherlands Singapore Province of China Taiwan United States South Africa

Sectors Targeted

Maritime and Shipbuilding Periodical Publishers 51112 Libraries and Archives 51912 Other Personal Services 8129 Portfolio Management 52392 Industrial Employment Placement Agencies and Executive Search Services 56131 Data Processing, Hosting, and Related Services 51821 Utilities IT Manufacturing Justice, Public Order, and Safety Activities 9221 Air Transportation 481 Computer Systems Design Services 541512 Wholesale Trade 42 Offices of Lawyers 541110 Newspaper Publishers 51111 Other Amusement and Recreation Industries 7139 Hospitals 622 Education Telecommunications Grantmaking and Giving Services 8132 Independent Artists, Writers, and Performers 7115 Business Schools and Computer and Management Training 6114 Computer Systems Design and Related Services 54151 Semiconductor and Other Electronic Component Manufacturing 33441 Internet Publishing and Broadcasting and Web Search Portals 51913 Transportation National Security and International Affairs 928110 Government Finance and Insurance 52 Construction Commercial Banking 52211 Truck Transportation 484 Investigation, Guard, and Armored Car Services 56161 Accommodation 721 Engineering Services 54133 Offices of Certified Public Accountants 541211 Public Relations Agencies 54182 Pharmaceutical and Medicine Manufacturing 32541 Energy

Details

Origin 🇨🇳 CN

Last Updated 06 Aug 2025

Malware Families 2

zhmimikatz

scanline

MITRE ATT&CK 142

T1003 - OS Credential Dumping T1003.001 T1003.003 T1005 T1006 T1007 T1010 T1011 - Exfiltration Over Other Network Medium T1012 T1016 T1016.001 T1018 T1020 - Automated Exfiltration T1021 - Remote Services T1021.001 T1027 T1027.002 T1033 T1036 T1036.004 T1036.005 T1036.008 T1040 - Network Sniffing T1046 T1047 T1048 T1049 T1055 T1055.009 T1056 T1056.001 T1057 T1059 T1059.001 - PowerShell T1059.003 T1059.004 T1068 - Exploitation for Privilege Escalation T1069 T1069.001 T1069.002 T1070 T1070.001 T1070.004 T1070.007 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 T1074.001 T1078 - Valid Accounts T1078.002 T1082 T1083 T1087 T1087.001 T1087.002 T1090 - Proxy T1090.001 T1090.003 T1095 T1102 - Web Service T1105 T1106 T1110 T1112 T1113 T1120 T1124 T1133 - External Remote Services T1136.001 T1140 - Deobfuscate/Decode Files or Information T1190 - Exploit Public-Facing Application T1195 T1199 T1205.002 T1210 T1217 T1218 T1222 T1222.002 T1490 T1497 T1497.001 T1505 - Server Software Component T1505.003 T1518 T1518.001 T1530 T1531 T1546 T1547 T1552 T1552.004 T1553 T1555 T1555.003 T1557 - Man-in-the-Middle T1560 T1560.001 T1562 T1562.001 T1564 T1564.013 T1566.001 T1569 T1570 T1571 T1573 T1573.001 T1573.002 T1583 T1583.003 T1583.005 T1584 - Compromise Infrastructure T1584.003 T1584.004 T1584.005 T1584.008 T1587 T1587.001 T1587.004 T1588 T1588.002 T1588.006 T1589 T1589.002 T1590 T1590.004 T1590.006 T1591 T1591.004 T1592 T1593 T1594 T1595 T1595.002 T1596 T1596.005 T1614 T1654 T1680 T1685 T1685.005

Related Zero-Days 38

CVE-2021-40539 CVE-2022-1040 CVE-2022-42475 CVE-2023-27350 CVE-2023-35708 CVE-2023-46805 CVE-2023-6549 CVE-2024-0012 CVE-2024-12356 CVE-2024-21887 CVE-2024-21893 CVE-2024-24919 CVE-2024-3400 CVE-2024-39717 CVE-2024-47575 CVE-2024-4947 CVE-2024-50302 CVE-2024-55591 CVE-2025-0282 CVE-2025-0283 CVE-2025-0994 CVE-2025-1316 CVE-2025-20362 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226 CVE-2025-24201 CVE-2025-24983 CVE-2025-24984 CVE-2025-24985 CVE-2025-24991 CVE-2025-24993 CVE-2025-25256 CVE-2025-26633 CVE-2025-27363 CVE-2025-53770 CVE-2025-55182 CVE-2025-58034

Known Names 11 entries

Volt Typhoon Microsoft

Vanguard Panda CrowdStrike

Bronze Silhouette SecureWorks

Redfly Symantec

Insidious Taurus Palo Alto

VOLTZITE Dragos

Dev-0391 Microsoft

Storm-0391 Microsoft

UNC3236 Mandiant

UAT-5918 Talos

UAT-7237 Talos

Observed Target Countries 7

Based on ETDA data — countries highlighted in red

Australia Canada India Singapore Taiwan UK USA

Description

(Microsoft) Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this time because of our significant concern around the potential for further impact to our customers. Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness and further investigations and protections across the security ecosystem.

Tools Used 3

FRP Impacket Living off the Land

Operations 13

2021-06 Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations

2022-02 Routers Roasting on an Open Firewall: the KV-botnet Investigation https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/

2023 Hunting Active Threats in Littleton’s Grid with the Dragos Platform and OT Watch https://www.dragos.com/wp-content/uploads/2025/03/Dragos_Littleton_Electric_Water_CaseStudy.pdf

2023 UAT-5918 targets critical infrastructure entities in Taiwan https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/

2023-02 Redfly: Espionage Actors Continue to Target Critical Infrastructure https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks

2023-06 Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign

2023-06 Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/

2023-07 China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure

2023-12 Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days https://resources.securityscorecard.com/research/volt-typhoon

2023-12 KV-Botnet: Don’t call it a Comeback https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/

2024-06 Taking the Crossroads: The Versa Director Zero-Day Exploitation https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/

2024-06 Chinese group accused of hacking Singtel in telecom attacks https://www.straitstimes.com/business/chinese-group-accused-of-hacking-singtel-in-telecom-attacks

2025-08 UAT-7237 targets Taiwanese web hosting infrastructure https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/

Reports & References 12

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ https://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/ https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a https://hub.dragos.com/hubfs/116-Datasheets/Dragos_IntelBrief_VOLTZITE_FINAL.pdf https://blog.barracuda.com/2024/03/14/volt-typhoon-future-war https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c.pdf https://www.reuters.com/technology/cybersecurity/fbi-says-chinese-hackers-preparing-attack-us-infrastructure-2024-04-18/ https://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon https://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research https://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html https://www.securityweek.com/china-admitted-to-us-that-it-conducted-volt-typhoon-attacks-report/ https://therecord.media/china-typhoon-hackers-nsa-fbi-response

ETDA Profile

Volt Typhoon

Origin

China

First Seen 2020

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗