Volt Typhoon
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 113 attack patterns (mitre), 3 malware, 12 sectors, 4 countries, 71 indicators, 3 vulnerabilities (cve), 16 tool, 2 campaign
Aliases
BRONZE SILHOUETTE Vanguard Panda DEV-0391 UNC3236 Voltzite Insidious Taurus
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Secureworks BRONZE SILHOUETTE May 2023
- Cloudflare 2026 Threat Report New Threat Actors March 2026
- mitre-attack (G1017)
- Microsoft Volt Typhoon May 2023
- Secureworks BRONZE SILHOUETTE May 2023
- DOJ KVBotnet 2024
- Dragos 2025 Year in Review
- CISA AA24-038A PRC Critical Infrastructure February 2024
- Joint Cybersecurity Advisory Volt Typhoon June 2023
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
6 MITREs 1 Malware 9 Observables 1 APT
Attack patterns (MITRE) (113)
-
T1584 usesCompromise Infrastructure MITRE
-
T1010 usesApplication Window Discovery MITRE
-
T1087.002 usesDomain Account MITRE
-
T1589 usesGather Victim Identity Information MITRE
-
T1018 usesRemote System Discovery MITRE
-
T1040 usesNetwork Sniffing MITRE
-
T1048 usesExfiltration Over Alternative Protocol MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
Network Topology usesT1590.004 MITRE
-
T1016.001 MITRE
-
T1011 MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
Sectors (12)
-
Manufacturing targets
-
Transportation targets
-
Telecommunications targets
-
Energy targets
-
Maritime transport targets
-
Chemical targets
-
Education targets
-
Technology targets
-
Utility targets
-
Diplomacy targets
-
Government targets
-
Construction targets
Countries (4)
-
United States of America targets
-
Australia targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
Guam targets
Indicators (71)
-
c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99indicates -
cdffba0ebda39b3b58f59815be3829ca9c1cde957b46a6ad5ce4b31e405455bbindicates -
stix 100/100 Revoked
SHA256 of 23873bf2670cf64c2440058130548d4e4da412dd
· Valid until 07/02/2026 · Source: AlienVault -
5a2681ea2e1d0d5e7db2a2499d2e6e27b2689830c638d5ee28c2eef9867ececfindicates -
5928f67db54220510f6863c0edc0343fdb68f7c7070496a3f49f99b3b545daf9indicates -
b4f2470159ca93f9d585ae2df1da972f6d14a0c418ebc202a324b9be5c877b61indicates -
e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95indicates -
stix 100/100 Revoked· Valid until 27/08/2024 · Source: AlienVault
-
d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914cecaindicates -
2cb6df289475457e807fc202a2b4688b2e23a88c94a8431981780caf8b76acf7indicates -
cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984indicates -
c71d04e2b6b35fdd058b4be5cf9ea3478697950378d4ee3c7fe0bf87e1e3730findicates
Vulnerabilities (CVE) (3)
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software allows a remote, unauthenticated attacker to upload a …
- Published
- 10/01/2022
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 21/12/2025
Tool (16)
-
netsh usesThe MITRE Corporation Confidence 100
[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
cmd usesThe MITRE Corporation Confidence 100
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
Reg usesThe MITRE Corporation Confidence 100
[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation:…
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
FRP usesThe MITRE Corporation Confidence 100
[FRP](https://attack.mitre.org/software/S1144), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT)…
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
Campaign (2)
-
Versa Director Zero Day Exploitation attributed-to
-
KV Botnet Activity attributed-to