{
	"id": "b7d22d4d-c302-48d0-9add-0e4c46620b10",
	"created_at": "2026-04-06T00:20:08.539315Z",
	"updated_at": "2026-04-10T03:34:44.504821Z",
	"deleted_at": null,
	"sha1_hash": "31ac70ef392ddbfbbf525acd62d55bea42154639",
	"title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 533806,
	"plain_text": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-05-24 · Archived: 2026-04-05 14:07:49 UTC\r\nMicrosoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access\r\nand network system discovery aimed at critical infrastructure organizations in the United States. The attack is\r\ncarried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and\r\ninformation gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing\r\ndevelopment of capabilities that could disrupt critical communications infrastructure between the United States\r\nand Asia region during future crises.\r\nVolt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and\r\nelsewhere in the United States. In this campaign, the affected organizations span the communications,\r\nmanufacturing, utility, transportation, construction, maritime, government, information technology, and education\r\nsectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access\r\nwithout being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this\r\ntime because of our significant concern around the potential for further impact to our customers. Although our\r\nvisibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into\r\nother parts of the actor’s activity compelled us to drive broader community awareness and further investigations\r\nand protections across the security ecosystem.\r\nTo achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost\r\nexclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the\r\ncommand line to (1) collect data, including credentials from local and network systems, (2) put the data into an\r\narchive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In\r\naddition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small\r\noffice and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have\r\nalso been observed using custom versions of open-source tools to establish a command and control (C2) channel\r\nover proxy to further stay under the radar.\r\nIn this blog post, we share information on Volt Typhoon, their campaign targeting critical infrastructure providers,\r\nand their tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies\r\non valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be\r\nchallenging. Compromised accounts must be closed or changed. At the end of this blog post, we share more\r\nmitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious\r\nand suspicious activity to protect organizations from such stealthy attacks. The National Security Agency (NSA)\r\nhas also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and\r\nprocedures (TTPs) discussed in this blog.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 1 of 8\n\nAs with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised\r\ncustomers, providing them with important information needed to secure their environments. To learn about\r\nMicrosoft’s approach to threat actor tracking, read Microsoft shifts to a new threat actor naming taxonomy.\r\nFigure 1. Volt Typhoon attack diagram\r\nInitial access\r\nVolt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices.\r\nMicrosoft continues to investigate Volt Typhoon’s methods for gaining access to these devices.\r\nThe threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an\r\nActive Directory account used by the device, and then attempts to authenticate to other devices on the network\r\nwith those credentials.\r\nVolt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices\r\n(including routers). Microsoft has confirmed that many of the devices, which include those manufactured by\r\nASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to\r\nthe internet. Owners of network edge devices should ensure that management interfaces are not exposed to the\r\npublic internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances\r\nthe stealth of their operations and lowers overhead costs for acquiring infrastructure.\r\nPost-compromise activity\r\nOnce Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via\r\nthe command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and\r\nrepeat them multiple times.\r\nVolt Typhoon rarely uses malware in their post-compromise activity. Instead, they rely on living-off-the-land\r\ncommands to find information on the system, discover additional devices on the network, and exfiltrate data. We\r\ndescribe their activities in the following sections, including the most impactful actions that relate to credential\r\naccess.\r\nCredential access\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 2 of 8\n\nIf the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that\r\naccount to perform the following credential access activities.\r\nMicrosoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority\r\nSubsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating\r\nsystem (OS) credentials.\r\nFigure 2. Volt Typhoon command to dump LSASS process memory, encoded in Base64\r\nFigure 3. Decoded Base64 of Volt Typhoon command to dump LSASS process memory\r\nVolt Typhoon also frequently attempts to use the command-line tool Ntdsutil.exe to create installation media from\r\ndomain controllers, either remotely or locally. These media are intended to be used in the installation of new\r\ndomain controllers. The files in the installation media contain usernames and password hashes that the threat\r\nactors can crack offline, giving them valid domain account credentials that they could use to regain access to a\r\ncompromised organization if they lose access.\r\nFigure 4. Volt Typhoon command to remotely create domain controller installation media\r\nFigure 5. Volt Typhoon command to locally create domain controller installation media\r\nDiscovery\r\nMicrosoft has observed Volt Typhoon discovering system information, including file system types; drive names,\r\nsize, and free space; running processes; and open networks. They also attempt to discover other systems on the\r\ncompromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and\r\nthe ping command. In a small number of cases, the threat actors run system checks to determine if they are\r\noperating within a virtualized environment.\r\nCollection\r\nIn addition to operating system and domain credentials, Volt Typhoon dumps information from local web browser\r\napplications. Microsoft has also observed the threat actors staging collected data in password-protected archives.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 3 of 8\n\nCommand and control\r\nIn most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way\r\nauthorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators\r\ncreating proxies on compromised systems to facilitate access. They accomplish this with the built-in netsh\r\nportproxy command.\r\nFigure 6. Volt Typhoon commands creating and later deleting a port proxy on a compromised\r\nsystem\r\nIn rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to\r\nestablish a C2 channel over proxy.\r\nCompromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses.\r\nThe same user account used for these sign-ins may be linked to command-line activity conducting further\r\ncredential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling.\r\nMitigation and protection guidance\r\nMitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries\r\n(LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries\r\nrequires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts.\r\nSuspected compromised accounts or affected systems should be investigated:\r\nIdentify LSASS dumping and domain controller installation media creation to identify affected accounts.\r\nExamine the activity of compromised accounts for any malicious actions or exposed data.\r\nClose or change credentials for all compromised accounts. Depending on the level of collection activity,\r\nmany accounts may be affected.\r\nDefending against this campaign\r\nMitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA)\r\npolicies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password\r\nexpiration rules, and deactivating unused accounts can also help mitigate risk from this access method.\r\nReduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to\r\nblock or audit some observed activity associated with this threat:\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe).Block\r\nprocess creations originating from PSExec and WMI commands. Some organizations may\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 4 of 8\n\nexperience compatibility issues with this rule on certain server systems but should deploy it to other\r\nsystems to prevent lateral movement originating from PsExec and WMI.\r\nBlock execution of potentially obfuscated scripts.\r\nHarden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11\r\ndevices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In\r\naddition, enable Windows Defender Credential Guard, which is also turned on by default for organizations\r\nusing the Enterprise edition of Windows 11.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker\r\ntools, techniques, and behaviors such as those exhibited by Volt Typhoon.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-compromise.\r\nDetection details and hunting queries\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects attempted post-compromise activity. Note, however, that these alerts can\r\nalso be triggered by threat activity unrelated to Volt Typhoon. Turn on cloud-delivered protection to cover rapidly\r\nevolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown\r\nthreats.\r\nBehavior:Win32/SuspNtdsUtilUsage.A\r\nBehavior:Win32/SuspPowershellExec.E\r\nBehavior:Win32/SuspRemoteCmdCommandParent.A\r\nBehavior:Win32/UNCFilePathOperation\r\nBehavior:Win32/VSSAmsiCaller.A\r\nBehavior:Win32/WinrsCommand.A\r\nBehavior:Win32/WmiSuspProcExec.J!se\r\nBehavior:Win32/WmicRemote.A\r\nBehavior:Win32/WmiprvseRemoteProc.B\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint alerts with the following titles can indicate possible presence of Volt Typhoon\r\nactivity.\r\nVolt Typhoon threat actor detected\r\nThe following alerts may also be associated with Volt Typhoon activity. Note, however, that these alerts can also\r\nbe triggered by threat activity unrelated to Volt Typhoon.\r\nA machine was configured to forward traffic to a non-local address\r\nNtdsutil collecting Active Directory information\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 5 of 8\n\nPassword hashes dumped from LSASS memory\r\nSuspicious use of wmic.exe to execute code\r\nImpacket toolkit\r\nHunting queries\r\nMicrosoft 365 Defender\r\nVolt Typhoon’s post-compromise activity usually includes distinctive commands. Searching for these can help to\r\ndetermine the scope and impact of an incident.\r\nFind commands creating domain controller installation media\r\nThis query can identify domain controller installation media creation commands similar to those used by Volt\r\nTyphoon.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"ntdsutil\", \"create full\", \"pro\")\r\nFind commands establishing internal proxies\r\nThis query can identify commands that establish internal proxies similar to those used by Volt Typhoon.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"portproxy\", \"netsh\", \"wmic\", \"process call create\", \"v4tov4\")\r\nFind detections of custom FRP executables\r\nThis query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP\r\nbinaries.\r\nAlertEvidence\r\n| where SHA256 in\r\n('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c',\r\n'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74',\r\n'4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349',\r\n'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d',\r\n'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af',\r\n'9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a',\r\n'450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267',\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 6 of 8\n\n'93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066',\r\n'7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5',\r\n'389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61',\r\n'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b',\r\n'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95',\r\n'6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff',\r\n'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984',\r\n'17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4',\r\n'8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2',\r\n'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295',\r\n'472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d',\r\n'3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642')\r\nMicrosoft Sentinel\r\nBelow are some suggested queries to assist Microsoft Sentinel customers in identifying Volt Typhoon activity in\r\ntheir environment:\r\nLSASS process memory dumping\r\nPotential Impacket execution\r\nDomain controller installation media creation commands similar to those used by Volt Typhoon\r\nCommands that set up internal proxies resembling the ones employed by Volt Typhoon\r\nMicrosoft customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious hash indicators (related to the custom Fast Reverse Proxy binaries) mentioned\r\nin this blog post. These analytics are part of the Threat Intelligence solution and can be installed from the\r\nMicrosoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found\r\nhere: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nIndicators of compromise (IOCs)\r\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protection to identify past related activity and\r\nprevent future attacks against their systems.\r\nVolt Typhoon custom FRP executable (SHA-256):\r\nbaeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 7 of 8\n\nb4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74\r\n4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349\r\nc0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d\r\nd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af\r\n9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a\r\n450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267\r\n93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066\r\n7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5\r\n389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61\r\nc4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b\r\ne453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95\r\n6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff\r\ncd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984\r\n17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4\r\n8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2\r\nd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295\r\n472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d\r\n3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-tech\r\nniques/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
	],
	"report_names": [
		"volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434808,
	"ts_updated_at": 1775792084,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31ac70ef392ddbfbbf525acd62d55bea42154639.pdf",
		"text": "https://archive.orkl.eu/31ac70ef392ddbfbbf525acd62d55bea42154639.txt",
		"img": "https://archive.orkl.eu/31ac70ef392ddbfbbf525acd62d55bea42154639.jpg"
	}
}