{ "id": "6442fb73-8b07-48de-8c19-7173380118ea", "created_at": "2026-04-06T03:37:46.914371Z", "updated_at": "2026-04-10T03:34:44.52428Z", "deleted_at": null, "sha1_hash": "f0dd8ede9107313e84e8e3dba7819690fe9bb116", "title": "Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 182051, "plain_text": "Salt Typhoon: An Analysis of Vulnerabilities Exploited by this\r\nState-Sponsored Actor\r\nBy Scott Caveza\r\nPublished: 2025-01-23 · Archived: 2026-04-06 03:26:58 UTC\r\nSalt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine\r\nU.S.-based telecommunications companies with the intent to target high profile government and political\r\nfigures. Tenable Research examines the tactics, techniques and procedures of this threat actor.\r\nBackground\r\nThroughout 2024, attacks from sophisticated advanced persistent threat (APT) actors associated with the People’s\r\nRepublic of China (PRC) were a major focus for U.S. government organizations, including the Cybersecurity and\r\nInfrastructure Security Agency (CISA). In a previous blog post, we examined Volt Typhoon, a PRC state-sponsored actor known to target critical infrastructure. However in September, the Wall Street Journal reported on\r\nanother PRC actor, Salt Typhoon, citing anonymous sources who said that the group had breached multiple U.S.\r\ntelecommunications providers. While several outlets reported on speculation of the report, in early October, CISA\r\nand the Federal Bureau of Investigation (FBI) offered official confirmation of the attacks when they released a\r\njoint statement that “the U.S. Government is investigating the unauthorized access to commercial\r\ntelecommunications infrastructure by actors affiliated with the People’s Republic of China.” By December, a\r\nWhite House press call confirmed that at least eight U.S. telecommunications providers had been breached, with\r\nthat figure increasing to at least nine telecommunications companies by December 27. As new details emerge on\r\nSalt Typhoon and its targets, this Tenable Research blog examines the tactics, techniques and procedures (TTPs)\r\nemployed, including the exploitation of known vulnerabilities associated with this threat actor.\r\nAnalysis\r\nSalt Typhoon is a sophisticated threat group whose targets include the telecommunications, government and\r\ntechnology sectors. The group is tracked under several monikers, including FamousSparrow, GhostEmperor, Earth\r\nEstries and UNC2286. This APT has most recently been in the news for breaching multiple U.S.\r\ntelecommunications providers; however it’s believed that its targets in this sector span the globe. In the U.S,\r\ngovernment officials claimed that Salt Typhoon’s targets include government officials primarily involved in\r\n“political activity,” sparking CISA and joint partners to release guidance on visibility and security hardening of\r\ncommunications infrastructure as well prompting the White House to issue the Executive Order titled\r\n“Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” Based on various reports on Salt\r\nTyphoon, its primary objective appears to be espionage.\r\nIn mid-December, CISA released the document “Mobile Communications Best Practice Guidance,” with an\r\nemphasis on using end-to-end encryption for secure communications. While it’s unclear what information may\r\nhave been accessed by Salt Typhoon, CISA and other government agencies, including the Federal\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 1 of 8\n\nCommunications Commission (FCC) have been actively helping and providing security guidance to the impacted\r\norganizations, as communications infrastructure is a matter of national security.\r\nKnown CVEs commonly exploited by Salt Typhoon\r\nSalt Typhoon typically gains initial access to its victim networks by targeting external-facing assets using known\r\nvulnerabilities. While not an exhaustive list, the table below highlights some of the CVEs known to have been\r\nexploited by Salt Typhoon.\r\nCVE Description\r\nCVSSv3\r\nScore\r\nVPR\r\nCVE-2021-\r\n26855\r\nMicrosoft Exchange Server Server-Side Request Forgery\r\nVulnerability (ProxyLogon)\r\n9.8 9.8\r\nCVE-2022-\r\n3236\r\nSophos Firewall Code Injection Vulnerability 9.8 7.4\r\nCVE-2023-\r\n48788\r\nFortiClient Enterprise Management Server (FortiClientEMS) SQL\r\nInjection Vulnerability\r\n9.8 9.4\r\nCVE-2024-\r\n21887\r\nIvanti Connect Secure and Ivanti Policy Secure Command\r\nInjection Vulnerability\r\n9.1 9.8\r\nCVE-2023-\r\n46805\r\nIvanti Connect Secure and Ivanti Policy Secure Authentication\r\nBypass Vulnerability\r\n8.2 6.7\r\n*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was\r\npublished on January 23 and reflects VPR at that time.\r\nSeveral of these vulnerabilities have been routinely exploited by APT and ransomware groups alike, including\r\nCVE-2021-26855, also known as ProxyLogon, and related Microsoft Exchange vulnerabilities including CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Ivanti Connect Secure/Policy Secure and Fortinet\r\nFortiClientEMS have each been the subject of Tenable Research blog posts and CVE-2022-3236, the SQL\r\ninjection flaw in Sophos Firewall, was featured in our “2022 Threat Landscape Report.”\r\nOf these five CVEs, four of them were exploited in the wild as zero-day vulnerabilities. While it’s unknown if Salt\r\nTyphoon exploited any of these flaws as zero-days, the level of sophistication from the group does suggest it has\r\nthe technical ability to develop and exploit zero-day flaws in its attacks.\r\nDespite these CVEs having had patches available, an analysis of anonymized Tenable scan data reveals that of\r\nnearly 30,000 instances impacted by ProxyLogon, a staggering 91% remain unpatched. In a stark contrast, an\r\nanalysis of over 20,000 devices impacted by both Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887),\r\nour data found that these devices were fully remediated in over 92% of cases.\r\nAs part of CISA’s guidance for enhanced visibility and hardening, the agency mentioned Cisco network\r\nequipment. While CISA didn’t mention specific Cisco device models or vulnerabilities, its guidance does note that\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 2 of 8\n\nPRC-affiliated actors have targeted Cisco-specific devices and as such, care should be taken to ensure\r\norganizations in the communications sector and beyond are properly securing and hardening their Cisco network\r\ndevices. CISA’s recommendations include disabling Cisco’s Smart Install service, which is often abused by\r\nattackers and should be properly configured or disabled to prevent abuse.\r\nPost-Compromise Activity\r\nSalt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a\r\nsignificant time period. It maintains persistence by utilizing custom malware including GhostSpider, SnappyBee\r\nand the Masol remote access trojan (RAT).\r\nIt’s been reported that the group has been active for several years and may have breached and maintained access at\r\ntelecommunications providers for months before being detected. In a recent blog by outgoing CISA Director Jen\r\nEasterly, she revealed that “CISA threat hunters previously detected the same actors in U.S. government\r\nnetworks.”\r\nThe “eyes” of the various “Typhoons”\r\nEach suspected state-sponsored PRC actor includes the family name of “Typhoon.” In recent months, CISA and\r\nsecurity vendors have issued several warnings regarding the various “Typhoon” groups, including Volt Typhoon,\r\nFlax Typhoon, and Salt Typhoon. Volt Typhoon’s focus is persistence and stealth, targeting critical infrastructure\r\nwhile Flax Typhoon’s focus is on attack infrastructure, building botnets from compromised Internet of Things\r\n(IoT) devices.\r\nWhile each group’s targets and activities are unique, the “eye” of each of these typhoons is they target unpatched\r\nand often well-known vulnerabilities for initial access, targeting public-facing servers. Despite the persistence of\r\nthese threat actors, it's vital that organizations routinely patch public-facing devices and quickly mitigate known\r\nand exploited vulnerabilities. This is underscored in commentary from the Federal Communications Commission\r\n(FCC) Chairwoman Jessica Rosenworcel:\r\n“In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks.\r\nOur existing rules are not modern. It is time we update them to reflect current threats so that we have a\r\nfighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action\r\nis now. We do not have the luxury of waiting.”\r\nIdentifying affected systems\r\nTenable offers several solutions to help identify potential exposures and attack paths as well as to identify systems\r\nvulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend using the Tenable One\r\nExposure Management Platform. Tenable One extends beyond traditional vulnerability management, which\r\nconcentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure\r\nmanagement program, Tenable One includes data about configuration issues, vulnerabilities and attack paths\r\nacross a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud\r\nconfigurations and deployments; and web applications.\r\nTenable Plugin Coverage\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 3 of 8\n\nA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-26855,\r\nCVE-2022-3236, CVE-2023-48788, CVE-2024-21887 and CVE-2023-46805. These links will display all\r\navailable plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to these\r\nCVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any\r\nCisco devices in your network.\r\nTenable Attack Path Analysis techniques\r\nThe following are a list of attack paths associated with Salt Typhoon and the associated Tenable Attack Path\r\nAnalysis techniques:\r\nMITRE ATT\u0026CK\r\nID\r\nDescription\r\nTenable Attack Path\r\ntechniques\r\nT1003.003 OS Credential Dumping: NTDS T1003.003_Windows\r\nT1021 Remote Services T1021.002_Windows\r\nT1047 Windows Management Instrumentation T1047_Windows\r\nT1053.005\r\nCreate or Modify System Process: Windows\r\nService\r\nT1053.005_Windows\r\nT1059.001 Command and Scripting Interpreter: PowerShell T1059.001_Windows\r\nT1059.003\r\nCommand and Scripting Interpreter: Windows\r\nCommand Shell\r\nT1059.003_Windows\r\nT1068 Exploitation for Privilege Escalation T1068_Windows\r\nT1078 Valid Accounts\r\nT1078.001_ICS\r\nT1078.003_Windows\r\nT1078.004_Azure\r\nT1078.002 Valid Accounts: Domain Accounts T1078.002_Windows\r\nT1082 System Information Discovery T1082\r\nT1087 Account Discovery\r\nT1087.004_Azure\r\nT1087.004_AWS\r\nT1134 Access Token Manipulation T1134.005_Windows\r\nT1190 Exploit Public-Facing Application\r\nT1190_Aws\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 4 of 8\n\nMITRE ATT\u0026CK\r\nID\r\nDescription\r\nTenable Attack Path\r\ntechniques\r\nT1190_WAS\r\nT1203 Exploitation for Client Execution T1203_Windows\r\nT1482 Domain Trust Discovery T1482_Windows\r\nT1547 Boot or Logon Autostart Execution\r\nT1547.002_Windows\r\nT1547.005_Windows\r\nT1574 Hijack execution flow\r\nT1574.007_Windows\r\nT1574.009_Windows\r\nT1574.010_Windows\r\nT1574.011_Windows\r\nTenable Identity Exposure Indicators of Exposure and Indicators of Attack\r\nThe following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:\r\nMITRE\r\nATT\u0026CK ID\r\nDescription Indicators\r\nT1003.003 OS Credential Dumping: NTDS I-NtdsExtraction\r\nT1021 Remote Services\r\nC-LAPS-UNSECURE-CONFIG\r\nC-AAD-PRIV-SYNC\r\nC-USERS-REVER-PWDS\r\nT1036 Masquerading C-CONFLICTED-OBJECTS\r\nT1055.001\r\nProcess Injection: Dynamic-link\r\nLibrary Injection\r\nI-DnsAdmins\r\nT1068\r\nExploitation for Privilege\r\nEscalation\r\nI-SamNameImpersonation\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 5 of 8\n\nMITRE\r\nATT\u0026CK ID\r\nDescription Indicators\r\nT1078 Valid Accounts\r\nMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT\r\nC-PASSWORD-DONT-EXPIRE\r\nC-USER-PASSWORD\r\nC-PRIV-ACCOUNTS-SPN\r\nC-NATIVE-ADM-GROUP-MEMBERS\r\nC-AAD-SSO-PASSWORD\r\nC-MSA-COMPLIANCE\r\nC-PASSWORD-POLICY\r\nC-REVER-PWD-GPO\r\nC-CLEARTEXT-PASSWORD\r\nC-DC-ACCESS-CONSISTENCY\r\nC-PROP-SET-SANITY\r\nC-SLEEPING-ACCOUNTS\r\nC-KERBEROS-CONFIG-ACCOUNT\r\nHIGH-NUMBER-OF-ADMINISTRATORS\r\nMISSING-MFA-FOR-PRIVILEGED-ACCOUNT\r\nC-AUTH-SILO\r\nC-KRBTGT-PASSWORD\r\nC-AAD-PRIV-SYNC\r\nC-SERVICE-ACCOUNT\r\nC-PASSWORD-NOT-REQUIRED\r\nC-ADMIN-RESTRICT-AUTH\r\nC-ADMINCOUNT-ACCOUNT-PROPS\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 6 of 8\n\nMITRE\r\nATT\u0026CK ID\r\nDescription Indicators\r\nC-DANGEROUS-SENSITIVE-PRIVILEGES\r\nC-PKI-DANG-ACCESS\r\nC-EXCHANGE-MEMBERS\r\nC-PASSWORD-HASHES-ANALYSIS\r\nC-ADM-ACC-USAGE\r\nC-DANG-PRIMGROUPID\r\nC-DSHEURISTICS\r\nT1134 Access Token Manipulation C-ACCOUNTS-DANG-SID-HISTORY\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATION\r\nT1203 Exploitation for Client Execution C-OBSOLETE-SYSTEMS\r\nTenable Web App Scanning\r\nMITRE ATT\u0026CK ID Description Indicators\r\nT1190 Exploit Public-Facing Application T1190_WAS\r\nJoin Tenable's Security Response Team on the Tenable Community.\r\nLearn more about Tenable One, the Exposure Management Platform for the modern attack surface.\r\nScott Caveza\r\nSenior Staff Research Engineer, Research Special Operations\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 7 of 8\n\nScott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written\r\nhundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of\r\nthe Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is\r\ncurrently a member of the Research Special Operations team, helping the research organization respond to the\r\nlatest threats. He has over a decade of experience in the industry with previous work in the Security Operations\r\nCenter (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively\r\nmaintains his GIAC GWAPT Web Application Penetration Tester certification.\r\nInterests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He\r\nalso enjoys finding ways to break web applications and home renovation projects.\r\nSource: https://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nhttps://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor" ], "report_names": [ "salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446666, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0dd8ede9107313e84e8e3dba7819690fe9bb116.pdf", "text": "https://archive.orkl.eu/f0dd8ede9107313e84e8e3dba7819690fe9bb116.txt", "img": "https://archive.orkl.eu/f0dd8ede9107313e84e8e3dba7819690fe9bb116.jpg" } }