{ "id": "6301a9d5-36dd-4c29-9314-e50da90048c9", "created_at": "2026-04-06T00:13:40.503453Z", "updated_at": "2026-04-10T13:12:39.375066Z", "deleted_at": null, "sha1_hash": "9e05c7c128f80e2c3407791ee36a85b17f8ecbc6", "title": "Volt Typhoon - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80665, "plain_text": "Volt Typhoon - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:30:37 UTC\r\n APT group: Volt Typhoon\r\nNames\r\nVolt Typhoon (Microsoft)\r\nVanguard Panda (CrowdStrike)\r\nBronze Silhouette (SecureWorks)\r\nRedfly (Symantec)\r\nInsidious Taurus (Palo Alto)\r\nVOLTZITE (Dragos)\r\nDev-0391 (Microsoft)\r\nStorm-0391 (Microsoft)\r\nUNC3236 (Mandiant)\r\nUAT-5918 (Talos)\r\nUAT-7237 (Talos)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription (Microsoft) Microsoft has uncovered stealthy and targeted malicious activity focused on\r\npost-compromise credential access and network system discovery aimed at critical\r\ninfrastructure organizations in the United States. The attack is carried out by Volt\r\nTyphoon, a state-sponsored actor based in China that typically focuses on espionage and\r\ninformation gathering. Microsoft assesses with moderate confidence that this Volt\r\nTyphoon campaign is pursuing development of capabilities that could disrupt critical\r\ncommunications infrastructure between the United States and Asia region during future\r\ncrises.\r\nVolt Typhoon has been active since mid-2021 and has targeted critical infrastructure\r\norganizations in Guam and elsewhere in the United States. In this campaign, the affected\r\norganizations span the communications, manufacturing, utility, transportation,\r\nconstruction, maritime, government, information technology, and education sectors.\r\nObserved behavior suggests that the threat actor intends to perform espionage and\r\nmaintain access without being detected for as long as possible. Microsoft is choosing to\r\nhighlight this Volt Typhoon activity at this time because of our significant concern\r\naround the potential for further impact to our customers. Although our visibility into\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0\r\nPage 1 of 4\n\nthese threats has given us the ability to deploy detections to our customers, the lack of\nvisibility into other parts of the actor’s activity compelled us to drive broader community\nawareness and further investigations and protections across the security ecosystem.\nObserved\nSectors: Construction, Education, Energy, Government, Industrial, IT, Maritime and\nShipbuilding, Manufacturing, Telecommunications, Transportation, Utilities.\nCountries: Australia, Canada, India, Singapore, Taiwan, UK, USA.\nTools used FRP, Impacket, Living off the Land.\nOperations performed\nJun 2021\nChinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S.\nGovernment and Defense Organizations\nFeb 2022\nRouters Roasting on an Open Firewall: the KV-botnet Investigation\n2023\nHunting Active Threats in Littleton’s Grid with the Dragos Platform and\nOT Watch\n2023\nUAT-5918 targets critical infrastructure entities in Taiwan\nFeb 2023\nRedfly: Espionage Actors Continue to Target Critical Infrastructure\nJun 2023\nAnalysis of CVE-2023-27997 and Clarifications on Volt Typhoon\nCampaign\nJun 2023\nBusiness as Usual: Falcon Complete MDR Thwarts Novel VANGUARD\nPANDA (Volt Typhoon) Tradecraft\nJul 2023\nChina's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0\nPage 2 of 4\n\nDec 2023\nVolt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days\nDec 2023\nKV-Botnet: Don’t call it a Comeback\nJun 2024\nTaking the Crossroads: The Versa Director Zero-Day Exploitation\nJun 2024\nChinese group accused of hacking Singtel in telecom attacks\nAug 2025\nUAT-7237 targets Taiwanese web hosting infrastructure\nCounter operations Dec 2023\nU.S. Government Disrupts Botnet People’s Republic of China Used to\nConceal Hacking of Critical Infrastructure\nInformation\nLast change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0\nPage 3 of 4\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0" ], "report_names": [ "showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "3ec9542a-2245-466b-86e3-cd345819b09b", "created_at": "2023-11-04T02:00:07.67045Z", "updated_at": "2026-04-10T02:00:03.388063Z", "deleted_at": null, "main_name": "Redfly", "aliases": [], "source_name": "MISPGALAXY:Redfly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "7074cc97-be8f-417b-8294-124c3add8668", "created_at": "2025-05-29T02:00:03.190761Z", "updated_at": "2026-04-10T02:00:03.84828Z", "deleted_at": null, "main_name": "UAT-5918", "aliases": [], "source_name": "MISPGALAXY:UAT-5918", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba78141a-9e8e-4662-91b1-e09dbb802e29", "created_at": "2026-02-03T02:00:03.439277Z", "updated_at": "2026-04-10T02:00:03.939587Z", "deleted_at": null, "main_name": "UAT-7237", "aliases": [], "source_name": "MISPGALAXY:UAT-7237", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434420, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e05c7c128f80e2c3407791ee36a85b17f8ecbc6.pdf", "text": "https://archive.orkl.eu/9e05c7c128f80e2c3407791ee36a85b17f8ecbc6.txt", "img": "https://archive.orkl.eu/9e05c7c128f80e2c3407791ee36a85b17f8ecbc6.jpg" } }