virus logo Threat Actor

Volt Typhoon

Description

Volt Typhoon, also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus, is a People's Republic of China based threat actor. Volt Typhoon has a keen interest in critical infrastructure and other sectors in the United States, Australia, India and the United Kingdom to ultimately perform information theft and espionage.

Volt Typhoon focuses on long-term persistence within networks, using minimal custom malware and instead relying heavily on legitimate native tools and valid user accounts. The group primarily targets critical infrastructure, exploiting edge devices and existing system access to conduct sustained espionage operations, known as "living off the land."

Aliases

  • Vanguard Panda
  • Insidious Taurus
  • Volt Typhoon
  • Voltzite
  • UNC3236
  • BRONZE SILHOUETTE
  • Dev-0391

Common Vulnerabilities and Exposures

Targeted Industries

  • Critical Infrastructure
  • Defense
  • Energy
  • Information Technology Services
  • Manufacturing
  • Telecommunications
  • Transportation and Logistics
  • Utilities

Objectives

Data Theft and Corporate Espionage

Known Tools Used

  • certutil
  • cmd
  • Coathanger
  • dnscmd
  • EarthWorm
  • Fast Reverse Proxy (FRP)
  • KV Botnet
  • Ldifde
  • LSASS
  • Magnet RAM Capture (MRC)
  • Makecab
  • Mimikatz
  • net user/group/use
  • netsh
  • netstat
  • nltest
  • ntdsutil
  • ping
  • PowerShell
  • PSExec
  • PuTTY
  • quser
  • reg query/reg save
  • Remote Desktop Protocol (RDP)
  • SMB
  • SockDetour
  • systeminfo
  • tasklist
  • Ultimate Packer for Executables (UPX)
  • VersaMem
  • wevtutil
  • whoami
  • WMIC
  • xcopy
  • Z Shell (zsh)

Known Infection Vectors

  • CVE-2019-1652 (Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability)
  • CVE-2019-1653 (Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability)
  • CVE-2020-5902 (F5 Traffic Management User Interface Remote Code Execution Vulnerability)
  • CVE-2021-22005 (VMware vCenter Server Arbitrary File Upload Vulnerability)
  • CVE-2021-26084 (Confluence Server Webwork OGNL Injection Vulnerability)
  • CVE-2021-26857 (Microsoft Exchange Server Remote Code Execution Vulnerability)
  • CVE-2021-26858 (Microsoft Exchange Server Remote Code Execution Vulnerability)
  • CVE-2021-27065 (Microsoft Exchange Server Remote Code Execution Vulnerability)
  • CVE-2021-27860 (Fatpipe Web Management Interface File Upload Vulnerability)
  • CVE-2021-36260 (Hikvision IP Cameras Command Injection Vulnerability)
  • CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability)
  • CVE-2021-42237 (Sitecore XP Insecure Deserialization Remote Code Execution Vulnerability)
  • CVE-2022-1388 (F5 BIG-IP Remote Command Execution Vulnerability)
  • CVE-2022-42475 (FortiOS Heap-based Buffer Overflow in sslvpnd)
  • CVE-2023-27350 (PaperCut NG and MF Remote Code Execution Vulnerability)
  • CVE-2023-36553 (FortiSIEM OS command injection in Report Server)
  • CVE-2023-46805 (Ivanti Connect Secure Authentication Bypass Vulnerabiliti)
  • CVE-2023-4966 (Citrix NetScaler ADC and NetScaler Gateway Vulnerability - aka Citrix Bleed)
  • CVE-2023-6548 (Citrix NetScaler ADC and NetScaler Gateway Vulnerability)
  • CVE-2023-6549 (Citrix NetScaler ADC and NetScaler Gateway Vulnerability)
  • CVE-2024-20272 (Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability)
  • CVE-2024-21762 (Out-of-bound Write in sslvpnd in FortiOS and FortiProxy)
  • CVE-2024-21887 (Ivanti Connect Secure Command Injection Vulnerability)
  • CVE-2024-39717 (Versa Director Dangerous File Type Upload Vulnerability)
  • Email

References

Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign (Fortinet)
https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

CISA and Partners Release Joint Fact Sheet for Leaders on PRC-sponsored Volt Typhoon Cyber Activity (CISA)
https://www.cisa.gov/news-events/alerts/2024/03/19/cisa-and-partners-release-joint-fact-sheet-leaders-prc-sponsored-volt-typhoon-cyber-activity

Volt Typhoon (MITRE)
https://attack.mitre.org/groups/G1017/

Strengthening America’s Resilience Against the PRC Cyber Threats (CISA)
https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats

Volt Typhoon

ID

5564

Published

May 21, 2026

Threat Actor Type

Nation-State

Tags

Citrix Bleed Attack Russian Cyber Espionage Microsoft Exchange Cisco ASA and FTD Firewall Zero-day Hikvision Command Injection Iran-linked Cyber Attacks PaperCut RCE Ivanti Authentication Bypass Threat Signal

Attacker Origins

  • China

Target Systems

  • Windows

Regions Targeted

  • Africa
  • Asia
  • Europe
  • Middle East
  • North America
  • Oceania

Active CVEs