{
	"id": "7cde8fbf-04e8-4d2b-a767-c8bc80550655",
	"created_at": "2026-04-06T00:13:49.063681Z",
	"updated_at": "2026-04-10T13:11:56.259623Z",
	"deleted_at": null,
	"sha1_hash": "de6298bc9929cfe713d49bc9cd6f03647fd1d815",
	"title": "MAR-10448362-1.v1 Volt Typhoon | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 134206,
	"plain_text": "MAR-10448362-1.v1 Volt Typhoon | CISA\r\nPublished: 2024-02-07 · Archived: 2026-04-05 17:00:13 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use\r\nTLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and\r\nprocedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without\r\nrestriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nCISA received three files for analysis obtained from a critical infrastructure compromised by the People’s Republic of China\r\n(PRC) state-sponsored cyber group known as Volt Typhoon. \r\nThe submitted files enable discovery and command-and-control (C2): (1) An open source Fast Reverse Proxy Client (FRPC)\r\ntool used to open a reverse proxy between the compromised system and a Volt Typhoon C2 server; (2) a Fast Reverse Proxy\r\n(FRP) that can be used to reveal servers situated behind a network firewall or obscured through Network Address\r\nTranslation (NAT); and (3) a publicly available port scanner called ScanLine. \r\nFor more information on Volt Typhoon see, joint Cybersecurity Advisory PRC State-Sponsored Actors Compromise, and\r\nMaintain Persistent Access to, U.S. Critical Infrastructure. For more information on PRC state-sponsored malicious cyber\r\nactivity, see CISA’s China Cyber Threat Overview and Advisories, webpage.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs associated with this MAR in JSON format, see:\r\nSubmitted Files (3)\r\n99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1 (SMSvcService.exe)\r\neaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0 (eaef901b31b5835035b75302f94fee...)\r\nedc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70 (BrightmetricAgent.exe)\r\nFindings\r\nedc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70\r\nTags\r\nobfuscatedproxytrojanutility\r\nDetails\r\nName BrightmetricAgent.exe\r\nSize 2840064 bytes\r\nType PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 fd41134e8ead1c18ccad27c62a260aa6\r\nSHA1 04423659f175a6878b26ac7d6b6e47c6fd9194d1\r\nSHA256 edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70\r\nSHA512 df55591e730884470afba688e17c83fafb157ecf94c9f10a20e21f229434ea58b59f8eb771f8f9e29993f43f4969fe66dd913128822b534c9b1\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 1 of 8\n\nssdeep 49152:99z0w/qP1dKPzeietmd64H9QaIG0aYkn0GzkWVISaJUET6qyxASuOszP7hn+S6wB:v0R9dKSiekd68ZIQ0obVI9UG6qyuhF6\r\nEntropy 7.999902\r\nAntivirus\r\nAdaware Generic.Trojan.Volt.Marte.A.05F91E9C\r\nAntiy GrayWare/Win32.Kryptik.ffp\r\nBitdefender Generic.Trojan.Volt.Marte.A.05F91E9C\r\nEmsisoft Generic.Trojan.Volt.Marte.A.05F91E9C (B)\r\nESET a variant of WinGo/HackTool.Agent.Y trojan\r\nIKARUS Trojan.WinGo.Rozena\r\nMicrosoft Defender Malware\r\nSophos App/FRProxy-F\r\nVarist W64/Agent.FXW.gen!Eldorado\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis artifact is a cross platform full featured FRP that is written in GO language (Golang) and packed using Ultimate Packer\r\nfor Executables (UPX). This utility can be used to locate servers behind a network firewall or obscured through NAT. It\r\nincludes the KCP (no acronym) network protocol that allows for error-checked and anonymous delivery of data streams\r\nusing the User Datagram Protocol (UDP) with packet level encryption support. \r\nThe program contains two different multiplexer libraries that can bi-directionally stream data over a NAT’d network. It also\r\ncontains a command line interface (CLI) library that can leverage command shells such as PowerShell, Windows\r\nManagement Instrumentation (WMI), and Z Shell (zsh). In addition, the utility features a unique capability that detects if the\r\nutility is executed from the command line or by double-clicking. \r\nBy default it is configured to connect to an Internet Protocol (IP) address on Transmission Control Protocol (TCP) port\r\n1080. It must receive a specially formed packet from the C2 for the utility to deploy on the system.\r\neaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0\r\nTags\r\npuptrojan\r\nDetails\r\nName eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0\r\nSize 20480 bytes\r\nType PE32 executable (console) Intel 80386, for MS Windows, UPX compressed\r\nMD5 3a97d9b6f17754dcd38ca7fc89caab04\r\nSHA1 ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34\r\nSHA256 eaef901b31b5835035b75302f94fee27288ce46971c6db6221ecbea9ba7ff9d0\r\nSHA512 d99941e4445efed5d4e407f91a9e5bba08d1be3f0dab065d1bfb4e70ab48d6526a730233d6889ba58de449f622e6a14e99dab853d40fc30a5\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 2 of 8\n\nssdeep 384:ahXoLj9Zez0Bm4SUZa8WLLXyjSL2RtfAwj/yneIMUogQ:ahXoLhZez0m4SIabLLCmL2Rvj/yeIEg\r\nEntropy 7.297754\r\nAntivirus\r\nAhnLab Unwanted/Win32.Foundstone\r\nAntiy HackTool[NetTool]/Win32.Portscan\r\nClamAV Win.Trojan.Scanline-1\r\nComodo ApplicUnwnt\r\nCylance Malware\r\nFilseclab Hacktool.ScanLine.a.fsff\r\nIKARUS Virtool\r\nMicrosoft Defender Malware\r\nNANOAV Riskware.Win32.ScanLine.dhhus\r\nQuick Heal Trojan.Win32\r\nScrutiny Malware\r\nSophos App/ScanLn-A\r\nVirusBlokAda Trojan.Genome.fl\r\nZillya! Tool.Portscan.Win32.77\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis artifact is a command-line port scanning utility from Foundstone, Inc. called ScanLine, which is packed using UPX. It\r\nis used to scan for open UDP and TCP ports, grab banners from open ports, resolve IP addresses to host names, and bind to\r\nspecified ports and IP addresses.\r\nScreenshots\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 3 of 8\n\nFigure 1 - Usage and syntax for the ScanLine utility.\r\n99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1\r\nTags\r\nobfuscatedproxytrojan\r\nDetails\r\nName SMSvcService.exe\r\nSize 3712512 bytes\r\nType PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 b1de37bf229890ac181bdef1ad8ee0c2\r\nSHA1 ffdb3cc7ab5b01d276d23ac930eb21ffe3202d11\r\nSHA256 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1\r\nSHA512 e41df636a36ac0cce38e7db5c2ce4d04a1a7f9bc274bdf808912d14067dc1ef478268035521d0d4b7bcf96facce7f515560b38a7ebe47995d\r\nssdeep 98304:z2eyMq4PuR5d7wgdo0OFfnFJkEUCGdaQLhpYYEfRTl6sysy:ryxzbdo0ifnoEOdz9pY7j5\r\nEntropy 7.890436\r\nAntivirus\r\nAdaware Generic.Trojan.Volt.Marte.A.105C517F\r\nAhnLab HackTool/Win.Frpc\r\nAntiy GrayWare/Win32.Kryptik.ffp\r\nBitdefender Generic.Trojan.Volt.Marte.A.105C517F\r\nEmsisoft Generic.Trojan.Volt.Marte.A.105C517F (B)\r\nESET a variant of WinGo/Riskware.Frp.U application\r\nIKARUS Trojan.WinGo.Shellcoderunner\r\nMicrosoft Defender Malware\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 4 of 8\n\nSophos App/FRProxy-F\r\nVarist W64/Agent.FXW.gen!Eldorado\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1970-01-01 00:00:00+00:00\r\nImport Hash 6ed4f5f04d62b18d96b26d6db7c18840\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n7f8e8722da728b6e834260b5a314cbac header 512 2.499747\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\nf9943591918adeeeee7da80e4d985a49 UPX1 3711488 7.890727\r\n5c0061445ac2f8e6cadf694e54146914 UPX2 512 1.371914\r\nDescription\r\nThis artifact is a 64-bit Windows executable file that is packed using UPX. This packed file contains a compiled version of\r\nan open-source tool published on GitHub called \"FRPC\". The \"FRPC\" is a command-line tool written in Golang that is\r\ndesigned to open a reverse proxy between the compromised system and the TA's C2 server. \r\nWhen the \"FRPC\" is installed and executed on the compromised system, it attempts to establish a connection with the Fast\r\nReverse Proxy Server (FRPS) using the reverse proxy method to allow the TA to control the compromised system. This\r\n\"FRPC\" application supports encryption, compression, and allows easy token authentication. It also supports the protocols\r\nbelow: \r\n--Begin protocols-- \r\nTransmission Control Protocol (TCP) \r\nUser Datagram Protocol (UDP) \r\nAn alternative Hypertext Transfer Protocol (HTTP) \r\nAn alternative Hypertext Transfer Protocol Secure (HTTPS) \r\n--End protocols-- \r\nDisplayed below is the \"FRPC\" tool configuration that contains the network communication method, the remote \"FRPS\"\r\nserver's public Internet Protocol (IP) address and port numbers: \r\n--Begin configuration-- \r\n[common] \r\n   server_addr = 192.168.18.111 \r\n   server_port = 8081 \r\n   server_addrs = [Default IP addresses] \r\n   server_ports = 8443,8443,8443 \r\n   token = 1kyRdFmuk0i25JbCJmtift1c9VA05VBS \r\n   protocol = tcp \r\n   tls_enable = true \r\n   disable_custom_tls_first_byte = true \r\n   log_level = debug \r\n       [plugin_socks5] \r\n   type = tcp \r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 5 of 8\n\nremote_port = 1080 \r\n   plugin = socks5 \r\n   use_encryption = true \r\n   use_compression = true \r\n--End configuration-- \r\nDisplayed below are the command-line usages and flags of the \"FRPC\" tool: \r\n--Begin usages and flags-- \r\nUsage: \r\nfrpc [flags] \r\nfrpc [command] \r\nAvailable Commands: \r\nhelp        Help about any command \r\ntcp         Run frpc with a single tcp proxy \r\nudp         Run frpc with a single udp proxy \r\nverify     Verify that the configures is valid \r\nFlags: \r\n-c, --config string config file of frpc (default \"./frpc.ini\") \r\n-h, --help            help for frpc \r\n-v, --version         version of frpc \r\nUse \"frpc [command] --help\" for more information about a command. \r\n-------------------------------------------------------------------------------------------- \r\nRun frpc with a single tcp proxy \r\nUsage: \r\nfrpc tcp [flags] \r\nFlags: \r\n    --disable_log_color    disable log color in console \r\n-h, --help                 help for tcp \r\n-i, --local_ip string     local ip (default \"127.0.0.1\") \r\n-l, --local_port int     local port \r\n    --log_file string     console or file path (default \"console\") \r\n    --log_level string     log level (default \"info\") \r\n    --log_max_days int     log file reversed days (default 3) \r\n-p, --protocol string     tcp or kcp or websocket (default \"tcp\") \r\n-n, --proxy_name string    proxy name \r\n-r, --remote_port int     remote port \r\n-s, --server_addr string frp server's address (default \"127.0.0.1:7000\") \r\n    --tls_enable         enable frpc tls \r\n-t, --token string         auth token \r\n    --uc                 use compression \r\n    --ue                 use encryption \r\n-u, --user string         user \r\nGlobal Flags: \r\n-c, --config string config file of frpc (default \"./frpc.ini\") \r\n-v, --version         version of frpc \r\n------------------------------------------------------------------------------------------------------------------- \r\nRun frpc with a single udp proxy \r\nUsage: \r\nfrpc udp [flags] \r\nFlags: \r\n    --disable_log_color    disable log color in console \r\n-h, --help                 help for udp \r\n-i, --local_ip string     local ip (default \"127.0.0.1\") \r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 6 of 8\n\n-l, --local_port int     local port \r\n    --log_file string     console or file path (default \"console\") \r\n    --log_level string     log level (default \"info\") \r\n    --log_max_days int     log file reversed days (default 3) \r\n-p, --protocol string     tcp or kcp or websocket (default \"tcp\") \r\n-n, --proxy_name string    proxy name \r\n-r, --remote_port int     remote port \r\n-s, --server_addr string frp server's address (default \"127.0.0.1:7000\") \r\n    --tls_enable         enable frpc tls \r\n-t, --token string         auth token \r\n    --uc                 use compression \r\n    --ue                 use encryption \r\n-u, --user string         user \r\nGlobal Flags: \r\n-c, --config string config file of frpc (default \"./frpc.ini\") \r\n-v, --version         version of frpc \r\n---------------------------------------------------------------------------------------------------------------------------- \r\nVerify that the configures is valid \r\nUsage: \r\nfrpc verify [flags] \r\nFlags: \r\n-h, --help help for verify \r\nGlobal Flags: \r\n-c, --config string config file of frpc (default \"./frpc.ini\") \r\n-v, --version         version of frpc \r\n--End usages and flags--\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 7 of 8\n\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or contact@mail.cisa.dhs.gov\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis\r\nE-Mail: submit@malware.us-cert.gov\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar24-038a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/analysis-reports/ar24-038a"
	],
	"report_names": [
		"ar24-038a"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de6298bc9929cfe713d49bc9cd6f03647fd1d815.pdf",
		"text": "https://archive.orkl.eu/de6298bc9929cfe713d49bc9cd6f03647fd1d815.txt",
		"img": "https://archive.orkl.eu/de6298bc9929cfe713d49bc9cd6f03647fd1d815.jpg"
	}
}