China29 malware familiesExploits CVEs in the wild

Volt Typhoon

Also known asBRONZE SILHOUETTEDEV-0391Insidious Taurusstorm_0391UNC3236VANGUARD PANDAVolt TyphoonVOLTZITE

Volt Typhoon is a Chinese state-sponsored threat actor. The content describes it as a China-linked operation and, in one reference, as military cyber actors. Known aliases in the provided content are Bronze Silhouette, DEV-0391, Insidious Taurus, Storm-0391, UNC3236, Vanguard Panda, Volt Typhoon, and Voltzite. The group is described as infiltrating U.S. critical infrastructure, including targets such as water treatment plants, the electrical grid, transportation systems, and U.S. military installations overseas. The content also states that Volt Typhoon infiltrated U.S. infrastructure as part of broader Chinese cyber activity and that its operations were intended to position for disruption or sabotage in a future conflict. Tradecraft directly mentioned in the content includes use of valid accounts and built-in operating system utilities, with initial access via exploitation of edge-device vulnerabilities. In victim environments, Volt Typhoon conducted hands-on-keyboard activity through the Windows command line; used PowerShell for remote system discovery; leveraged WMIC for execution, remote system discovery, and temporary directory creation; queried the Registry, including reg query hklm\software, to identify installed software such as PuTTY; enumerated running processes with Tasklist; obtained system location, screen dimension, and display device information; and used PowerShell Get-EventLog security -instanceid 4624 to identify associated user and computer account names. For credential and data access, the content states that Volt Typhoon attempted to obtain credentials from OpenSSH, RealVNC, and PuTTY; targeted network administrator browser data including browsing history and stored credentials; stole files from a sensitive file server; stole the Active Directory database including ntds.dit and the SYSTEM and SECURITY Registry hives; and used Wevtutil to extract event log information. The actor also used legitimate network and forensic tools and customized versions of open-source tools for command and control, and used legitimate-looking filenames such as cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools. Cleanup behavior mentioned includes use of rd /S to delete working directories and deletion of systeminfo.dat from C:\Users\Public\Documentsfiles. The content also states that Volt Typhoon used compromised hardware, including routers, and that the FBI disrupted a botnet of hundreds of U.S.-based small office and home routers associated with the operation.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

55 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics69 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1592

Gather Victim Host Information

T1595

Active Scanning

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1584×4

Compromise Infrastructure

T1584.005×4

Botnet

T1584.008×3

Network Devices

T1588

Obtain Capabilities

T1588.002

Tool

T1608

Stage Capabilities

T1608.001

Upload Malware

T1608.002

Upload Tool

TA0001

Initial Access

2 techniques

T1078×2

Valid Accounts

T1190×5

Exploit Public-Facing Application

TA0002

Execution

4 techniques

T1047

Windows Management Instrumentation

T1059

Command and Scripting Interpreter

T1059.001×6

PowerShell

T1059.003×2

Windows Command Shell

T1129×2

Shared Modules

T1574

Hijack Execution Flow

TA0003

Persistence

3 techniques

T1078×2

Valid Accounts

T1112×2

Modify Registry

T1505

Server Software Component

T1505.003×2

Web Shell

T1505.004

IIS Components

TA0004

Privilege Escalation

3 techniques

T1055

Process Injection

T1068×3

Exploitation for Privilege Escalation

T1078×2

Valid Accounts

TA0005

Stealth

8 techniques

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055

Process Injection

T1070×2

Indicator Removal

T1070.004×3

File Deletion

T1078×2

Valid Accounts

T1140

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1218.010

Regsvr32

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1574

Hijack Execution Flow

TA0112

Defense Impairment

2 techniques

T1112×2

Modify Registry

T1601

Modify System Image

TA0006

Credential Access

3 techniques

T1003×3

OS Credential Dumping

T1003.003

NTDS

T1555×2

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

11 techniques

T1007×2

System Service Discovery

T1012×2

Query Registry

T1018×2

Remote System Discovery

T1033

System Owner/User Discovery

T1046

Network Service Discovery

T1057

Process Discovery

T1082×3

System Information Discovery

T1120

Peripheral Device Discovery

T1217

Browser Information Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1518

Software Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.001

Remote Desktop Protocol

TA0009

Collection

3 techniques

T1005×2

Data from Local System

T1074

Data Staged

T1213

Data from Information Repositories

TA0011

Command and Control

3 techniques

T1071×3

Application Layer Protocol

T1090×5

Proxy

T1090.003×4

Multi-hop Proxy

T1105

Ingress Tool Transfer

TA0040

Impact

2 techniques

T1485

Data Destruction

T1490

Inhibit System Recovery

ARSENAL

Associated malware families

29 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

KV BotnetThe hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims.10May 26, 2026

EarthwormAfter exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.5May 7, 2026

FRP"a Fast Reverse Proxy (FRP) that can be used to reveal servers situated behind a network firewall or obscured through Network Address Translation (NAT)"5Mar 18, 2026

ImpacketVolt Typhoon has used ... Impacket to proxy network traffic.5Mar 18, 2026

COATHANGERIn February 2024, the service revealed that Chinese hackers had broken into a compartmentalized Dutch Ministry of Defence network by exploiting a FortiGate vulnerability, deploying malware the agencies named COATHANGER.4Apr 22, 2026

24 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

30 CVEs this actor has used in observed campaigns. 30 of them exploited in the wild.

CVE-2022-42475FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCEIn the wildEvidence4

Fortinet disclosed in February that the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware.

CVE-2023-27997XORtigate: FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCEIn the wildEvidence4

CVE-2024-39717Arbitrary File Upload and Execution in Versa Director GUIIn the wildEvidence3

"Lumen Technologies reported Chinese APT Volt Typhoon exploiting Versa Director servers (CVE-2024-39717), enabling credential interception and malicious code injection." | Lumen Technologies reported Chinese APT Volt Typhoon exploiting Versa Director servers (CVE-2024-39717), enabling credential interception and malicious code injection.

CVE-2021-40539Authentication Bypass and RCE in Zoho ManageEngine ADSelfService PlusIn the wildEvidence2

Exploiting vulnerabilities in widely used software including, but not limited to: CVE-2021-40539—ManageEngine ADSelfService Plus.

CVE-2024-21887Command Injection in Ivanti Connect Secure and Policy Secure Web ComponentsIn the wildEvidence2

Ensure that these products in your environment are updated with the latest patches... Ivanti (CVE-2024-21887 & CVE-2023-46805)

25 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

97 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

97 IOCsView more in app

Domains

44 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+36

hash.md5

26 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+18

hash.sha256

14 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+6

ip.v4

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

hash.sha1

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

codebyNews

May 29, 2026

Детектирование lateral movement ML: модели и SIEM

Espionage-oriented intrusions into U.S. critical infrastructure using living-off-the-land techniques, valid accounts, built-in OS utilities, and exploitation of edge-device vulnerabilities for initial access.

defensescoopNews

May 21, 2026

Facing growing threats, Army hosts Defense Critical Infrastructure summit to boost installation crisis response | DefenseScoop

Chinese-affiliated cyber actor discussed as pre-positioning within U.S. critical infrastructure networks to enable disruptive effects during a crisis.

govinfosecurityNews

May 21, 2026

State Officials Urge Congress to Renew Cyber Grant Program

Campaigns linked to this group are cited as driving Florida to adopt a more proactive cybersecurity operating model, in the context of critical infrastructure intrusions affecting state-level defensive planning.

bank info securityNews

May 21, 2026

State Officials Urge Congress to Renew Cyber Grant Program

Campaigns linked to this group are cited as driving U.S. state governments, particularly Florida, to adopt a more proactive cybersecurity posture amid concerns about critical infrastructure intrusions.

+195 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping55

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal29

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs30

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables97

Domains, IPs, and hashes tied to this actor, refreshed continuously.