{ "id": "345f93d3-f908-42ae-ab6d-8a72df4539df", "created_at": "2026-04-29T02:20:51.573885Z", "updated_at": "2026-04-29T08:21:41.922323Z", "deleted_at": null, "sha1_hash": "41da4effa3acf0d389f22d5555c1aee31774f8a1", "title": "Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 878572, "plain_text": "Chinese Cyberespionage Group BRONZE SILHOUETTE Targets\r\nU.S. Government and Defense Organizations\r\nBy Secureworks Counter Threat Unit\r\nPublished: 2023-05-24 · Archived: 2026-04-29 02:02:48 UTC\r\nDirect observations of multiple intrusions reveal that the group focuses on operational security. Wednesday, May\r\n24, 2023 By: Secureworks Counter Threat Unit\r\nOn May 24, 2023, the U.S. National Security Agency (NSA) issued a joint cybersecurity advisory highlighting a\r\ncluster of activity it attributes to a People's Republic of China (PRC) state-sponsored threat group. Secureworks®\r\nCounter Threat Unit™ (CTU) researchers attribute this activity to BRONZE SILHOUETTE (referred to in the\r\nadvisory as Volt Typhoon) and have observed the threat group conducting network intrusion operations against\r\nU.S government and defense organizations since 2021. The tactics, techniques, and procedures (TTPs) and\r\nvictimology observed during Secureworks incident response (IR) engagements suggest BRONZE SILHOUTTE\r\ntargets organizations for intelligence-gathering purposes that are in alignment with the requirements of the PRC.\r\nThe threat group has demonstrated careful consideration for operational security such as the use of preinstalled\r\nbinaries to “live off the land,” incorporation of defense evasion techniques, and reliance on compromised\r\ninfrastructure to prevent detection and attribution of its intrusion activity, and to blend in with legitimate network\r\nactivity.\r\nJune 2021 IR engagement\r\nDuring a June 2021 engagement, Secureworks incident responders discovered that BRONZE SILHOUETTE had\r\ngained initial access to the compromised organization's single-factor Citrix environment via a domain\r\nadministrator account. It is unclear how the threat actors obtained these credentials. BRONZE SILHOUETTE\r\nmoved laterally to another web server and dropped a simple Java-based web shell (AuditReport.jspx).\r\nSecureworks incident responders observed the threat actors execute a series of reconnaissance commands via the\r\nweb shell (see Figure 1).\r\nFigure 1. Reconnaissance commands issued through Java-based web shell. (Source: Secureworks)\r\nhttps://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations\r\nPage 1 of 6\n\nBRONZE SILHOUETTE then wrote Base64-encoded text to C:\\Windows\\Temp\\ntuser.ini and decoded it to\r\nC:\\Windows\\Temp\\iisstart.aspx via the certutil command (see Figure 2).\r\nFigure 2. Web shell written to disk, decoded, and copied to remote web server. (Source: Secureworks)\r\nThe iisstart.aspx file is a C# web shell that is likely a derivative of the Awen web shell and is used for remote\r\ncommand execution (see Figure 3). The threat actors copied the web shell to a second web server in the\r\nenvironment and used it to gather system information via the ‘whoami' and ‘tasklist' commands.\r\nFigure 3. Snippet from the C# web shell deployed by BRONZE SILHOUETTE. (Source: Secureworks)\r\nSecureworks incident responders observed BRONZE SILHOUETTE using the AuditReport.jspx web shell to\r\nperform the following tasks on the first web server:\r\nhttps://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations\r\nPage 2 of 6\n\nUsed Windows Management Instrumentation (WMI) to execute the Ntdsutil Active Directory (AD)\r\nmanagement tool on the domain controller (see Figure 4). This command creates a copy of the ntds.dit AD\r\ndatabase for credential attacks such as pass the hash or offline password hash cracking.\r\nFigure 4. Credential dumping using Ntdsutil. (Source: Secureworks)\r\nCopied the ntds.dit database to the web server via xcopy, compressed the database as a multi-volume\r\npassword-protected archive via 7-Zip, and saved the volumes to a public-facing directory on the same\r\nserver with legitimate-sounding filenames and a .gif extension.\r\nUsed the rd command with the /S switch to delete the threat actors' working directories and files.\r\nThe threat actors then exfiltrated the dumped AD database to an external IP address. This IP address belonged to a\r\ncompromised server at an organization in the same vertical as the compromised organization.\r\nSeptember 2021 IR engagement\r\nBRONZE SILHOUETTE reappeared in a September 2021 Secureworks IR engagement against an organization in\r\nthe U.S. The threat actors gained initial access by exploiting a vulnerability in an internet-facing ManageEngine\r\nADSelfService Plus server (likely CVE-2021-40539). BRONZE SILHOUETTE deployed a web shell\r\n(ReportGenerate.jsp) and interacted with it to run reconnaissance commands using built-in Windows tools such as\r\nnet user, nltest, netstat, and systeminfo (see Figure 5).\r\nFigure 5. BRONZE SILHOUETTE reconnaissance commands. (Source: Secureworks)\r\nSecureworks incident responders observed the threat actors executing ADSSPlus.exe, which is a renamed\r\ncsvde.exe file. The csvde.exe command-line utility provides import and export functionality for Lightweight\r\nhttps://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations\r\nPage 3 of 6\n\nDirectory Access Protocol (LDAP) repositories. The threat actors used the '-f' switch, which exports a list of AD\r\nobjects to the ADSSPlus.dat file (see Figure 6).\r\nFigure 6. Threat actor command to export AD objects to ADSSPlus.dat. (Source: Secureworks)\r\nBRONZE SILHOUETTE used the Windows makecab command to compress the ADSSPlus.dat file into a cabinet\r\n(.cab) file, but Secureworks incident responders did not observe the threat actor exfiltrating the file.\r\nJune 2022 IR engagement\r\nDuring a June 2022 engagement, Secureworks incident responders discovered that BRONZE SILHOUTTE had\r\ndeployed a single web shell to multiple servers across the environment after likely exploiting an internet-facing\r\nPRTG Network Monitor server. The web shell was also a derivative of the Awen web shell but included key\r\nmodifications such as the addition of AES encryption and decryption for command and control (C2)\r\ncommunications. Based on web shell file creation timestamps, the network was likely compromised in May 2021.\r\nThe threat actors used WMI to execute the native vssadmin command on a domain controller to create a volume\r\nshadow copy (see Figure 7). They then extracted the ntds.dit AD database and the SYSTEM registry hive from the\r\nvolume shadow copy (see Figure 7).\r\nFigure 7. Threat actor WMI commands to extract the ntds.dit database. (Source: Secureworks)\r\nSecureworks incident responders observed the threat actors using 7-Zip to create an archive file containing the\r\nSYSTEM registry hive and ntds.dit, likely for exfiltration. A few days later, the threat actors moved laterally to a\r\nManageEngine ADSelfService Plus server and ran reconnaissance commands. One command revealed BRONZE\r\nSILHOUETTE searching for one of its C2 IP addresses (see Figure 8).\r\nFigure 8. Threat actor commands run under the ManageEngine Java process. (Source: Secureworks)\r\nhttps://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations\r\nPage 4 of 6\n\nA CTU investigation into the attacker-controlled C2 infrastructure revealed at least three PRTG servers belonging\r\nto other organizations. This discovery suggests that BRONZE SILHOUETTE targets vulnerable PRTG servers for\r\ninitial access into a target environment and to establish its C2 infrastructure.\r\nBRONZE SILHOUETTE: A member of the new wave of Chinese threat groups?\r\nCTU analysis of the direct observations from BRONZE SILHOUETTE intrusions reveals a threat group that\r\nfavors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land\r\nbinaries to achieve its objectives. For example, the June 2021 IR engagement determined that the threat actors\r\nwere inside the compromised network for only 90 minutes before obtaining the ntds.dit AD database. The threat\r\nactors also take steps to identify and remove evidence of their presence on a network, such as inspecting server\r\nlogs for their C2 IP address and deleting files used during their intrusions.\r\nBRONZE SILHOUETTE's use of other organizations' compromised servers in its C2 proxy network may help\r\nobfuscate the source of the intrusion activity and make attribution more challenging. In some intrusions, the C2\r\ncommunications could blend in with legitimate business network traffic to reduce the likelihood of detection.\r\nBRONZE SILHOUETTE has consistently focused on operational security, including a minimal intrusion\r\nfootprint, incorporation of defense evasion techniques, and use of compromised infrastructure in multiple\r\nintrusions. This focus suggests a high level of operational maturity and adherence to a blueprint designed to\r\nreduce the likelihood of the detection and attribution of its intrusion activity. This attention to operational security,\r\nparticularly when targeting Western organizations, is consistent with network compromises that CTU researchers\r\nhave attributed to Chinese threat groups in recent years. These tradecraft developments have likely been driven by\r\na series of high-profile U.S. Department of Justice indictments of Chinese nationals allegedly involved in\r\ncyberespionage activity, public exposures of this type of activity by security vendors, and the consequential likely\r\nincreased pressure from PRC leadership to avoid public scrutiny of its cyberespionage activity.\r\nBRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense\r\norganizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these\r\nengagements overlap with other state-sponsored Chinese threat groups.\r\nTo mitigate exposure to this threat, CTU researchers recommend that organizations use available controls to\r\nreview and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The IP\r\naddresses may contain malicious content, so consider the risks before opening them in a browser.\r\nIndicator Type Context\r\n006c4a5950f75c2c9049cda1a62c09a0 MD5 hash\r\nWeb shell (iisstart.aspx) used by BRONZE\r\nSILHOUETTE\r\n4d3572cfc8460fe0299377f6bc05d865a987529f\r\nSHA1\r\nhash\r\nWeb shell (iisstart.aspx) used by BRONZE\r\nSILHOUETTE\r\n3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36ce\r\na70086e8d1ab85336c83945f\r\nSHA256\r\nhash\r\nWeb shell (iisstart.aspx) used by BRONZE\r\nSILHOUETTE\r\nhttps://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations\r\nPage 5 of 6\n\nIndicator Type Context\r\naf3a81605aa8e29c8be9e91d2ce19fc1 MD5 hash\r\nBase64-encoded web shell (ntuser.ini) used\r\nby BRONZE SILHOUETTE\r\na9e32e2bd499c1070f4e0b5a6d85119f1aa0a778\r\nSHA1\r\nhash\r\nBase64-encoded web shell (ntuser.ini) used\r\nby BRONZE SILHOUETTE\r\nfe95a382b4f879830e2666473d662a24b34fccf3\r\n4b6b3505ee1b62b32adafa15\r\nSHA256\r\nhash\r\nBase64-encoded web shell (ntuser.ini) used\r\nby BRONZE SILHOUETTE\r\n670545a24a2ce2ac7a0e863790bfe2e1 MD5 hash\r\nJava web shell (AuditReport.jspx) used by\r\nBRONZE SILHOUETTE\r\n4ba6b043313c8d163f2ab7c4505c8b9b8cd68061\r\nSHA1\r\nhash\r\nJava web shell (AuditReport.jspx) used by\r\nBRONZE SILHOUETTE\r\nee8df354503a56c62719656fae71b3502acf9f87\r\n951c55ffd955feec90a11484\r\nSHA256\r\nhash\r\nJava web shell (AuditReport.jspx) used by\r\nBRONZE SILHOUETTE\r\n109.166.39.139 IP address BRONZE SILHOUETTE C2 server\r\n23.227.198.247 IP address BRONZE SILHOUETTE C2 server\r\n104.161.54.203 IP address BRONZE SILHOUETTE C2 server\r\nTable 1. Indicators for this threat.\r\nRead more about Chinese threats in the 2022 State of the Threat report. If you need urgent assistance with an\r\nincident, contact the Secureworks Incident Response team.\r\nSource: https://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-tar\r\ngets-us-government-and-defense-organizations\r\nhttps://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" ], "report_names": [ "chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-29T06:58:58.270898Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-29T06:58:57.735943Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus", "DazedToad" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-29T06:58:57.508616Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-29T06:58:56.581488Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "VOLTZITE", "Dev-0391", "Storm-0391", "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777429251, "ts_updated_at": 1777450901, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41da4effa3acf0d389f22d5555c1aee31774f8a1.pdf", "text": "https://archive.orkl.eu/41da4effa3acf0d389f22d5555c1aee31774f8a1.txt", "img": "https://archive.orkl.eu/41da4effa3acf0d389f22d5555c1aee31774f8a1.jpg" } }