Volt Typhoon
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 113 attack patterns (mitre), 3 malware, 12 sectors, 4 countries, 71 indicators, 3 vulnerabilities (cve), 16 tool, 2 campaign
Aliases
BRONZE SILHOUETTE Vanguard Panda DEV-0391 UNC3236 Voltzite Insidious Taurus
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Secureworks BRONZE SILHOUETTE May 2023
- Cloudflare 2026 Threat Report New Threat Actors March 2026
- mitre-attack (G1017)
- Microsoft Volt Typhoon May 2023
- Secureworks BRONZE SILHOUETTE May 2023
- DOJ KVBotnet 2024
- Dragos 2025 Year in Review
- CISA AA24-038A PRC Critical Infrastructure February 2024
- Joint Cybersecurity Advisory Volt Typhoon June 2023
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
6 MITREs 1 Malware 9 Observables 1 APT
Attack patterns (MITRE) (113)
-
T1003.001 usesLSASS Memory MITRE
-
T1505.003 usesWeb Shell MITRE
-
T1120 usesPeripheral Device Discovery MITRE
-
T1570 usesLateral Tool Transfer MITRE
-
T1047 usesWindows Management Instrumentation MITRE
-
T1199 usesTrusted Relationship MITRE
-
T1069.001 usesLocal Groups MITRE
-
Direct Volume Access usesT1006 MITRE
-
T1056.001 usesKeylogging MITRE
-
T1560.001 usesArchive via Utility MITRE
-
T1573 usesEncrypted Channel MITRE
-
T1016 usesSystem Network Configuration Discovery MITRE
Malware (3)
-
VersaMem usesFamily The MITRE Corporation Confidence 100
[VersaMem](https://attack.mitre.org/software/S1154) is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, [VersaMem](https://attack.mitre.org/software/S1154) was used during [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
KV Botnet usesFamily
-
HiatusRat usesFamily
Sectors (12)
-
Manufacturing targets
-
Transportation targets
-
Telecommunications targets
-
Energy targets
-
Maritime transport targets
-
Chemical targets
-
Education targets
-
Technology targets
-
Utility targets
-
Diplomacy targets
-
Government targets
-
Construction targets
Countries (4)
-
United States of America targets
-
Australia targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
Guam targets
Indicators (71)
-
fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15indicates -
c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76dindicates -
5b4bc3421132b4ff7a61e0c391212a3ad64fc2e5indicates -
93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066indicates -
9e6a2a01decc2c26f3586a119b6fd3a886c4cf9c76aa452339d164fda40c63e4indicates -
6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ffindicates -
c2299d8581af4ea8048bbf2bffd45c6ddca323c9c718c172355cc0df006ea6caindicates -
stix 100/100 Revoked
UPX
· Valid until 28/08/2024 · Source: AlienVault -
b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74indicates -
3fab16ec4643d8f6b9a99d85427322f7fb40e9ea3cd4de8318c6a52e29869d5aindicates -
690638c702170dba9e43b0096944c4e7540b827218afbfaebc902143cda4f2a7indicates
Vulnerabilities (CVE) (3)
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software allows a remote, unauthenticated attacker to upload a …
- Published
- 10/01/2022
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 21/12/2025
Tool (16)
-
netsh usesThe MITRE Corporation Confidence 100
[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
cmd usesThe MITRE Corporation Confidence 100
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
Reg usesThe MITRE Corporation Confidence 100
[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation:…
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
FRP usesThe MITRE Corporation Confidence 100
[FRP](https://attack.mitre.org/software/S1144), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT)…
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
Campaign (2)
-
Versa Director Zero Day Exploitation attributed-to
-
KV Botnet Activity attributed-to