Threat Actor Profile
High APT
Description

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)

Confidence Score
90%
Known Aliases
Volt Typhoon BRONZE SILHOUETTE Vanguard Panda DEV-0391 UNC3236 Voltzite Insidious Taurus
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (81)
T1005 - Data from Local System
Collection
T1056.001 - Keylogging
Collection
T1074 - Data Staged
Collection
T1074.001 - Local Data Staging
Collection
T1113 - Screen Capture
Collection
T1560.001 - Archive via Utility
Collection
T1090 - Proxy
Command and Control
T1090.001 - Internal Proxy
Command and Control
T1090.003 - Multi-hop Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.003 - NTDS
Credential Access
T1552 - Unsecured Credentials
Credential Access
T1552.004 - Private Keys
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1006 - Direct Volume Access
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1036.008 - Masquerade File Type
Defense Evasion
T1070.001 - Clear Windows Event Logs
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1070.007 - Clear Network Connection History and Co…
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218 - System Binary Proxy Execution
Defense Evasion
T1497.001 - System Checks
Defense Evasion
T1007 - System Service Discovery
Discovery
T1010 - Application Window Discovery
Discovery
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1016.001 - Internet Connection Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1069 - Permission Groups Discovery
Discovery
T1069.001 - Local Groups
Discovery
T1069.002 - Domain Groups
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1087.002 - Domain Account
Discovery
T1120 - Peripheral Device Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1217 - Browser Information Discovery
Discovery
T1518 - Software Discovery
Discovery
T1614 - System Location Discovery
Discovery
T1654 - Log Enumeration
Discovery
T1680 - Local Storage Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.004 - Unix Shell
Execution
T1190 - Exploit Public-Facing Application
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1133 - External Remote Services
Persistence
T1505.003 - Web Shell
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1589 - Gather Victim Identity Information
Reconnaissance
T1589.002 - Email Addresses
Reconnaissance
T1590 - Gather Victim Network Information
Reconnaissance
T1590.004 - Network Topology
Reconnaissance
T1590.006 - Network Security Appliances
Reconnaissance
T1591 - Gather Victim Org Information
Reconnaissance
T1591.004 - Identify Roles
Reconnaissance
T1592 - Gather Victim Host Information
Reconnaissance
T1593 - Search Open Websites/Domains
Reconnaissance
T1594 - Search Victim-Owned Websites
Reconnaissance
T1596.005 - Scan Databases
Reconnaissance
T1584.003 - Virtual Private Server
Resource Development
T1584.004 - Server
Resource Development
T1584.005 - Botnet
Resource Development
T1584.008 - Network Devices
Resource Development
T1587.004 - Exploits
Resource Development
T1588.002 - Tool
Resource Development
T1588.006 - Vulnerabilities
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Volt Typhoon',
             'BRONZE SILHOUETTE',
             'Vanguard Panda',
             'DEV-0391',
             'UNC3236',
             'Voltzite',
             'Insidious Taurus'],
 'created': '2023-07-27T20:35:46.206Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a '
                "People's Republic of China (PRC) state-sponsored actor that "
                'has been active since at least 2021 primarily targeting '
                'critical infrastructure organizations in the US and its '
                'territories including Guam. [Volt '
                "Typhoon](https://attack.mitre.org/groups/G1017)'s targeting "
                'and pattern of behavior have been assessed as pre-positioning '
                'to enable lateral movement to operational technology (OT) '
                'assets for potential destructive or disruptive attacks. [Volt '
                'Typhoon](https://attack.mitre.org/groups/G1017) has '
                'emphasized stealth in operations using web shells, '
                'living-off-the-land (LOTL) binaries, hands on keyboard '
                'activities, and stolen credentials.(Citation: CISA AA24-038A '
                'PRC Critical Infrastructure February 2024)(Citation: '
                'Microsoft Volt Typhoon May 2023)(Citation: Joint '
                'Cybersecurity Advisory Volt Typhoon June 2023)(Citation: '
                'Secureworks BRONZE SILHOUETTE May 2023)',
 'external_references': [{'external_id': 'G1017',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1017'},
                         {'description': '(Citation: CISA AA24-038A PRC '
                                         'Critical Infrastructure February '
                                         '2024)',
                          'source_name': 'Vanguard Panda'},
                         {'description': '(Citation: CISA AA24-038A PRC '
                                         'Critical Infrastructure February '
                                         '2024)',
                          'source_name': 'DEV-0391'},
                         {'description': '(Citation: CISA AA24-038A PRC '
                                         'Critical Infrastructure February '
                                         '2024)',
                          'source_name': 'UNC3236'},
                         {'description': '(Citation: CISA AA24-038A PRC '
                                         'Critical Infrastructure February '
                                         '2024)',
                          'source_name': 'Voltzite'},
                         {'description': '(Citation: CISA AA24-038A PRC '
                                         'Critical Infrastructure February '
                                         '2024)',
                          'source_name': 'Insidious Taurus'},
                         {'description': '(Citation: Secureworks BRONZE '
                                         'SILHOUETTE May 2023)(Citation: CISA '
                                         'AA24-038A PRC Critical '
                                         'Infrastructure February 2024)',
                          'source_name': 'BRONZE SILHOUETTE'},
                         {'description': 'CISA et al.. (2024, February 7). PRC '
                                         'State-Sponsored Actors Compromise '
                                         'and Maintain Persistent Access to '
                                         'U.S. Critical Infrastructure. '
                                         'Retrieved May 15, 2024.',
                          'source_name': 'CISA AA24-038A PRC Critical '
                                         'Infrastructure February 2024',
                          'url': 'https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf'},
                         {'description': 'Counter Threat Unit Research Team. '
                                         '(2023, May 24). Chinese '
                                         'Cyberespionage Group BRONZE '
                                         'SILHOUETTE Targets U.S. Government '
                                         'and Defense Organizations. Retrieved '
                                         'July 27, 2023.',
                          'source_name': 'Secureworks BRONZE SILHOUETTE May '
                                         '2023',
                          'url': 'https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations'},
                         {'description': 'Microsoft Threat Intelligence. '
                                         '(2023, May 24). Volt Typhoon targets '
                                         'US critical infrastructure with '
                                         'living-off-the-land techniques. '
                                         'Retrieved July 27, 2023.',
                          'source_name': 'Microsoft Volt Typhoon May 2023',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/'},
                         {'description': "NSA et al. (2023, May 24). People's "
                                         'Republic of China State-Sponsored '
                                         'Cyber Actor Living off the Land to '
                                         'Evade Detection. Retrieved July 27, '
                                         '2023.',
                          'source_name': 'Joint Cybersecurity Advisory Volt '
                                         'Typhoon June 2023',
                          'url': 'https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF'}],
 'id': 'intrusion-set--174279b4-399f-4ddb-966e-5efedd1dd5f2',
 'modified': '2025-04-30T13:27:45.018Z',
 'name': 'Volt Typhoon',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Ai Kimura, NEC Corporation',
                          'Manikantan Srinivasan, NEC Corporation India',
                          'Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd',
                          'Pooja Natarajan, NEC Corporation India',
                          'Vlad Shumaher, Palo Alto Networks'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (81)
Data from Local System
Collection
Keylogging
Collection
Data Staged
Collection
Local Data Staging
Collection
Screen Capture
Collection
View All 81 TTPs
Back to Threat Actors
Dashboard Home