{
	"id": "7a7ec392-ae59-4dc0-8d1f-92a8aceedd96",
	"created_at": "2026-04-06T00:17:39.147831Z",
	"updated_at": "2026-04-10T03:34:44.528113Z",
	"deleted_at": null,
	"sha1_hash": "12b5861dda3255506acbddb0dfb1d701c2b3a6be",
	"title": "Will the Real Volt Typhoon Please Stand Up?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 127163,
	"plain_text": "Will the Real Volt Typhoon Please Stand Up?\r\nBy Jean Pierre Ruiz Ocampo\r\nPublished: 2025-01-16 · Archived: 2026-04-05 23:04:58 UTC\r\nOne of the more powerful things you can do using Censys is track how a threat actor’s infrastructure changes over\r\ntime or in response to external events.\r\nIn December 2023, the US Federal Bureau of Investigation (FBI) conducted a court-authorized disruption of the\r\nKV Botnet, by running a remote uninstall of infected systems in the United States. The KV Botnet is attributed to\r\nVolt Typhoon, a threat group originating from the People’s Republic of China (PRC) with a historical focus on\r\ncritical infrastructure. While this disruption did not impact control infrastructure of the botnet, mass removal of\r\nbots is likely a way to spur a reaction from botnet administrators.\r\nDespite both technical exposure by researchers and law enforcement disruption, this infrastructure has remained\r\nuncharacteristically consistent, only changing hosting providers. Given the contrasting high level of sophistication\r\nbetween Volt Typhoon’s activity within target organizations and their proxy network, it is possible the KV Botnet\r\nis operated by a party other than Volt Typhoon.\r\nBased on Censys scanning and indicators publicly reported by Lumen, we were able to map control infrastructure\r\nfor KV Botnet, specifically the JDY cluster, through 2024.\r\n2024 Activity\r\nThe JDY cluster was first detailed by Lumen in 2023 and is believed to target Cisco RV320/RC325 routers for\r\nbotnet propagation. On 14 November 2023, infected systems from this cluster were seen communicating with new\r\ncontrol servers with a different certificate containing “jdyfj”, shown below:\r\nExample JDY C2 Server with a New Certificate Variant\r\nHistorical records for this certificate show the following hosts that may have previously been used by this actor:\r\nhttps://censys.com/will-the-real-volt-typhoon-please-stand-up/\r\nPage 1 of 3\n\nIP Address\r\nCertificate First\r\nSeen\r\nCertificate Last\r\nSeen\r\nASN\r\n45.32.174[.]131\r\n28 December\r\n2023\r\n23 April 2024 AS20473 – CHOOPA, US\r\n45.63.60[.]39\r\n28 December\r\n2023\r\n24 April 2024 AS20473 – CHOOPA, US\r\n159.203.113[.]25\r\n18 November\r\n2023\r\n27 December\r\n2023\r\nAS14061 – DIGITALOCEAN-ASN, US\r\n174.138.56[.]21\r\n17 November\r\n2023\r\n2 December 2023\r\nAS14061 – DIGITALOCEAN-ASN, US\r\n108.61.132[.]157\r\n15 November\r\n2023\r\n18 November\r\n2023\r\nAS20473 – CHOOPA, US\r\n144.202.49[.]189\r\n15 November\r\n2023\r\n27 December\r\n2023\r\nAS20473 – CHOOPA, US\r\nCensys’s scans indicate that, following law enforcement action, 45.32.174[.]13 and 45.63.60[.]39 (highlighted in\r\nyellow above) were both likely brought online in response to disruption efforts. In April 2024, these servers were\r\nlikely migrated to the infrastructure currently hosting this certificate. Notably, the current hosts have used different\r\nhosting providers each time servers have moved, shown in the table above, potentially to reduce impact of future\r\ndisruption efforts.\r\nThe Censys research team has identified three hosts currently leveraging this certificate (SHA256 Hash:\r\n2b640582bbbffe58c4efb8ab5a0412e95130e70a587fd1e194fbcd4b33d432cf):\r\nIP Address\r\nCertificate\r\nFirst seen\r\nCertificate\r\nLast Seen\r\nASN\r\n2.58.15[.]30 16 April 2024 6 January 2025 AS199959 – CrownCloud, AU\r\n66.85.27[.]190 16 April 2024 7 January 2025 AS8100 – Quadranet\r\n172.233.211[.]226\r\n25 November\r\n2024\r\n7 January 2025\r\nAS63949 – AKAMAI-LINODE-AP Akamai Connected Cloud, SG \r\nThoughts on attribution\r\nMicrosoft’s initial public report describes Volt Typhoon as a technically sophisticated threat actor, operating with a\r\nminimal toolkit and focus on stealth. However, following both technical exposure by researchers and disruption\r\nfrom law enforcement, operators of the KV Botnet have not taken any meaningful action to conceal their control\r\nhttps://censys.com/will-the-real-volt-typhoon-please-stand-up/\r\nPage 2 of 3\n\ninfrastructure beyond migrating to new hosting providers. This notable difference calls into question the nature of\r\nthe relationship between Volt Typhoon activity against target networks and the KV Botnet.\r\nSource: https://censys.com/will-the-real-volt-typhoon-please-stand-up/\r\nhttps://censys.com/will-the-real-volt-typhoon-please-stand-up/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://censys.com/will-the-real-volt-typhoon-please-stand-up/"
	],
	"report_names": [
		"will-the-real-volt-typhoon-please-stand-up"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775792084,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12b5861dda3255506acbddb0dfb1d701c2b3a6be.pdf",
		"text": "https://archive.orkl.eu/12b5861dda3255506acbddb0dfb1d701c2b3a6be.txt",
		"img": "https://archive.orkl.eu/12b5861dda3255506acbddb0dfb1d701c2b3a6be.jpg"
	}
}