{ "id": "54d1d02c-0620-4597-9437-1f4817768493", "created_at": "2026-04-06T00:11:02.248251Z", "updated_at": "2026-04-10T03:34:44.496535Z", "deleted_at": null, "sha1_hash": "fa9019b5ebe894fa5ef3a1365b8dbd33da6edb67", "title": "Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 103593, "plain_text": "Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious\r\nTaurus (Volt Typhoon)\r\nBy Unit 42\r\nPublished: 2024-02-14 · Archived: 2026-04-02 10:44:43 UTC\r\nExecutive Summary\r\nInsidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as\r\nPeople’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within\r\nU.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a\r\nmajor crisis or conflict with the United States. During a hearing on Jan. 31, 2024, FBI director Christopher Wray told the\r\nU.S. House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party\r\nthat Volt Typhoon was “the defining threat of our generation.”\r\nThe U.S. government, in collaboration with international government allies,  has published two Joint Cybersecurity\r\nAdvisories (CSA) about this activity. They published the first Joint CSA on May 24, 2023. They published the second Joint\r\nCSA on Feb. 7, 2024.  \r\nThe first CSA discusses the group’s use of small office/home office (SOHO) network devices as intermediate infrastructure\r\nto obscure their activity. It also describes the use of living-off-the-land techniques and the use of built-in network\r\nadministration tools to perform objectives, as means of hiding their activity. Palo Alto Networks was credited for providing\r\ninput on the activity as part of the first CSA.\r\nThe second CSA discussed a wider set of techniques used by this group. These techniques include performing extensive pre-compromise reconnaissance, the exploitation of known or zero-day vulnerabilities in public-facing network appliances to\r\ngain initial access, and a focus on gaining administrator credentials within a victim environment. \r\nThe U.S. Department of Justice published a press release on Jan. 31 stating that a court-authorized operation has disrupted a\r\nbotnet of hundreds of U.S.-based SOHO devices infected with the KV-botnet. The KV-botnet has been used by multiple\r\ndifferent threat actors, including Insidious Taurus. \r\nThe vast majority of the devices included in the botnet were routers that were vulnerable because they were no longer\r\nsupported through their manufacturer’s security patches or other software updates. Threat actor groups chain together\r\ncompromised devices within this botnet to form a covert data transfer network. \r\nDespite the disruption of the KV-botnet, Insidious Taurus remains an ongoing threat and cyberattacks targeting critical\r\ninfrastructure warrant special attention. Unit 42 will continue to update this threat brief as more information becomes\r\navailable.\r\nPalo Alto Networks customers are better protected from Insidious Taurus through the following:\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with\r\nThreat Prevention signatures.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.\r\nAdvanced URL Filtering and DNS Security identify known IPs and domains associated with this group as malicious.\r\nCortex XSOAR can automate workflows for data enrichment, indicators of compromise (IoC) hunting and\r\nremediation actions to reduce manual work and speed up the patching process.\r\nCortex XDR and XSIAM agent helps protect against the techniques executed by this threat actor using Behavioral\r\nThreat Protection and its multiple security modules. Cortex Analytics has multiple detection models covering the\r\ntechniques, with additional relevant coverage by the Identity Analytics module.\r\nCortex Xpanse is able to detect a wide range of internet-exposed SOHO devices.\r\nPrisma Cloud agents have detection for all known Insidious Taurus malware samples listed within WildFire.\r\nPrisma Access has detection for all known Insidious Taurus malware samples within WildFire and all related threat\r\nsignatures will be detectable at services turnup.\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.\r\nAdversary Attack Methodology\r\nIn late 2021, Unit 42 observed a threat actor (now identified as Insidious Taurus) using a then-undisclosed Zoho\r\nManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) for initial access. While performing incident response\r\nactivities, Unit 42 identified a connection to a network-attached storage (NAS) server with FTP running. We found a sample\r\nof SockDetour in the trash of that NAS.  \r\nhttps://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nPage 1 of 6\n\nSockDetour is a custom backdoor used to maintain persistence, designed to serve as a backup backdoor in case a threat\r\nactor’s primary one is removed. The tactics and techniques used during this event aligned with what Microsoft then called\r\nDEV-0391, which is now known as Volt Typhoon. \r\nInsidious Taurus also uses one rarely used malware family, EarthWorm, as well as custom versions of open-source tools\r\nImpacket and Fast Reverse Proxy. Employment of these tools further underscores our assessment of the attackers’ technical\r\nskill and their focus on remaining undetected. \r\nExploiting vulnerabilities in internet-facing devices is a known initial access vector for Insidious Taurus. They are believed\r\nto have the capability to identify and develop their own zero-day exploits while also taking advantage or publically disclosed\r\nvulnerabilities and exploits. \r\nOnce initial access has been achieved, a common attribute of attacks is the need to generate as little malicious activity as\r\npossible to evade detection and blocking by protection software. Getting caught at all, let alone quickly, precludes\r\noperational success. \r\nInsidious Taurus actors take multiple steps to avoid detection, showing an overall technical ability only seen with advanced\r\nattackers. One of the ways they do this is by using compromised SOHO devices. Originating attacks from households or\r\nsmall businesses aids attackers because many do not have significant security protections in place. \r\nIn addition to requiring manual software updates, SOHO devices are also rarely configured according to best practices by\r\nusers and they have network management interfaces exposed directly online. Because of these things, many attackers of all\r\nmotivations – including botnets – also recognize and use SOHO devices for malicious activity. This was true for the case\r\nUnit 42 worked in late 2021 where a connection led to the identification of the compromised NAS server.\r\nAnother common technique Insidious Taurus has used to remain undetected, formerly the sole realm of advanced attackers\r\nbut now more widely used, is a technique known as living off the land. This is when attackers abuse legitimate tools – often\r\nthose used by system administrators for legitimate purposes – for malicious use. \r\nIf captured in logs, this activity often looks similar to legitimate network administration use. This includes network\r\nenumeration, determining account permissions and even password recovery tools. Because of their widespread legitimate\r\nuse, these tools are often on allow lists for download and can be difficult to detect when used for malicious activity. \r\nAnother way actors can hide their activity when interacting with victim networks, is to carry out their work using direct\r\nhands-on keyboard activity vs using scripts to automate activity. By doing so, the attackers can hamper detection efforts\r\nagain because their activity appears to be expected, human activity rather than a barrage of scripted commands to detect and\r\ninterdict. For now, this technique remains one only used effectively by advanced attackers due to the required knowledge\r\nand skill.\r\nInterim Guidance\r\nUnit 42 recommends following the guidance provided by CISA in their latest CSA. This includes the following:\r\nHardening the attack surface\r\nSecuring credentials and accounts\r\nSecuring and limiting the use of remote access services\r\nImplementing network segmentation\r\nSecuring cloud assets\r\nBeing prepared through logging, threat modeling and training\r\nAdditionally, Unit 42 recommends increasing detection opportunities to identify living off the land attacks.\r\nUnit 42 Managed Threat Hunting Queries\r\nThe queries below represent a few ways organizations can hunt for activity that could be related to Insidious Taurus.\r\nHowever, the techniques and IoCs being hunted for here may not be unique to Insidious Taurus and any results should be\r\nconsidered in the context of other identified activity.\r\n// Description: Looks for the netsh PortProxy command being used to enable port forwarding\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|filter action_process_image_name in (\"netsh.exe\",\"cmd.exe\")\r\n|filter action_process_image_command_line contains \"netsh interface portproxy add v4tov4\"\r\nhttps://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nPage 2 of 6\n\n|fields _time, agent_hostname, actor_effective_username, actor_process_image_path,\r\naction_process_image_command_line\r\n// Description: Looks for the creation of a PortProxy registry key\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.REGISTRY AND (event_sub_type in (ENUM.REGISTRY_CREATE_KEY,\r\nENUM.REGISTRY_SET_VALUE))\r\n|filter action_registry_key_name =\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\PortProxy\\v4tov4\\tcp\"\r\n|fields _time, agent_hostname, actor_effective_username, actor_process_image_name,\r\nactor_process_command_line, event_type, event_sub_type, action_registry_key_name, action_registry_data\r\n// Description: Looks for WMIC information gathering command observed being used by Volt Typhoon\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\r\n|filter action_process_image_name = \"wmic.exe\" and actor_process_image_name = \"cmd.exe\" and action_process_image_command_line\r\ncontains \"path win32_logicaldisk get caption,filesystem,freespace,size,volumename\"\r\n|fields\r\n_time,agent_hostname,actor_effective_username,actor_process_image_name,actor_process_command_line,action_process_image_command_line\r\n// Description: Look for attempts to dump NTDS.dit to disk via Ntdsutil IFM command\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter action_process_image_name = \"ntdsutil.exe\" AND (action_process_image_command_line contains \"ac i ntds\"\r\nor action_process_image_command_line contains \"activate instance ntds\") and\r\naction_process_image_command_line contains \"create full\"\r\n|fields\r\n_time,agent_hostname,actor_effective_username,actor_process_image_path,action_process_image_command_line\r\n// Description: Look for instances of cmd.exe being spawned with arguments consistent with the usage of Impacket’s\r\nWmiexec\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START\r\n|filter os_actor_process_image_name = \"wmiprvse.exe\" AND action_process_image_name = \"cmd.exe\" AND\r\naction_process_image_command_line contains \"\"\"/Q /c * \\\\\\\\127.0.0.1\\\\ADMIN$\\\\__* 2\u003e\u00261\"\"\"\r\n|fields _time, agent_hostname, actor_effective_username, os_actor_process_image_name,\r\naction_process_image_command_line\r\nhttps://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nPage 3 of 6\n\n// Description: Looks for the execution of binaries matching the Indicators of compromise (IoCs) in the Volt Typhoon CSA report\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START\r\n|filter action_process_image_sha256 in\r\n(\"f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd\",\"ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d42\r\n|fields _time,agent_hostname,actor_effective_username,actor_process_image_path,action_process_image_path,action_process_image_command_lin\r\n// Description: Looks for file writes matching the Indicators of compromise (IoCs) in the Volt Typhoon CSA report\r\n// Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_WRITE\r\n|filter action_file_sha256 in\r\n(\"f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd\",\"ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d42\r\n|fields _time, agent_hostname, actor_effective_username, actor_process_image_path, actor_process_command_line, action_file_path, action_file_sh\r\n// Description: Looks for the execution of known Volt Typhoon Fast Reverse Proxy (frp) binaries\r\n// Ref: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques\r\nconfig case_sensitive = false\r\n|dataset = xdr_data\r\n|filter event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START\r\n|filter action_process_image_sha256 in\r\n(\"baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c\",\"b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d41\r\n|fields _time,agent_hostname,actor_effective_username,actor_process_image_path,action_process_image_path,action_process_image_command_lin\r\nConclusion\r\nBased on the available public information, Unit 42 assesses Insidious Taurus as a top tier, sophisticated APT. We concur\r\nwith the attribution made in both Joint Cyber Security Advisories that this activity is associated with a PRC state-sponsored\r\nactor. \r\nAs activity from Insidious Taurus is challenging to detect, we agree with the CSA’s recommendations to focus on a few key\r\nareas. This includes mitigation activities such as updating any internet facing device like SOHO equipment or virtual private\r\nnetworks (VPNs), as threat actors use these devices as part of a botnet or as an initial access vector. \r\nThese recommendations also include strengthening the use of multifactor authentication. And finally, it includes prioritizing\r\nsufficient logging, which can be especially important for detecting  activity within an environment that could be indicative\r\nof living off the land techniques. Additional detailed guidance on actions to take can be found in the latest Joint CSA. \r\nPalo Alto Networks customers are better protected through our products, as listed below. We will update this threat brief as\r\nmore relevant information becomes available.\r\nPalo Alto Networks Product Protections for Insidious Taurus\r\nPalo Alto Networks customers can leverage a variety of product protections and updates designed to identify and defend\r\nagainst this threat.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nhttps://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nPage 4 of 6\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks is offering a no-cost, no-obligation emergency bundle for organizations to help identify and mitigate any\r\nexposure to Insidious Taurus's use of exploits that target vulnerabilities in various networking gear, including an Attack\r\nSurface Assessment and a Prisma Access 90-day license.\r\nThis offer is promotional and subject to availability. Due to the rapidly changing nature of this vulnerability, Palo Alto\r\nNetworks reserves the right to update this offer.\r\nNext-Generation Firewalls and Prisma Access With Advanced Threat Prevention\r\nThe Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks via the\r\nfollowing Threat Prevention signatures: 91676, 92734, 91362, 90829, 91363, 86360, 90926, 90952, 90972, 90851, 83202,\r\n85739.\r\nAdvanced Threat Prevention provides inline machine learning that can help detect vulnerability exploits in real time.\r\nPrisma Access\r\nAll known Insidious Taurus malware samples within WildFire and all related threat signatures will be detectable by Prisma\r\nAccess at services turnup.\r\nPrisma Access is a centralized cloud-delivered security service that uses a Zero Trust Strategy. It enforces the principles of\r\nleast privilege and continuous trust verification to not only limit access to users based on need, but also to continually\r\nmonitor changes in application workloads. It also monitors user behavior using cutting-edge machine learning and artificial\r\nintelligence to deliver best in breed alerts and mitigation. This establishes protection beyond initial access and can help limit\r\nor prevent impact to operations in the case of attempted compromise.\r\nThe environment is automatically updated and protected with the latest inline machine learning-powered threat prevention\r\ntechnologies, such as WildFire, Advanced URL Filtering, Advanced Threat Prevention and more. Prisma Access provides a\r\ncontinuous and dynamic security inspection ecosystem that can stop even zero-day threats.\r\nBy using machine learning-based detection, Prisma Access is able to provide detection and response to zero-day threats in\r\nreal time, preventing even some of the most complex attacks that exist in the security landscape today.\r\nPrisma Access also offers advanced DLP protection to protect access and data integrity to all applications and data-based\r\nworkloads across a customer organization.\r\nCortex XSOAR\r\nCortex XSOAR can automate workflows for data enrichment, IoC hunting and remediation actions to reduce manual work\r\nand speed up the patching process.\r\nCortex XDR and XSIAM\r\nCortex XDR and XSIAM agent helps protect against the techniques executed by this threat actor using Behavioral Threat\r\nProtection and its multiple security modules.\r\nCortex Analytics has multiple detection models covering the techniques, with additional relevant coverage by the Identity\r\nAnalytics module.\r\nCortex Xpanse\r\nCortex Xpanse is able to detect a wide range of internet-exposed SOHO devices including those manufactured by Cisco,\r\nNETGEAR, D-Link, ASUS, H3C, Xiaomi, MikroTik, and more with over 20 different individual rules available.\r\nCloud-Delivered Security Services for Next-Generation Firewall\r\nAdvanced URL Filtering and DNS Security identify known IPs and domains associated with this group as malicious.\r\nPrisma Cloud\r\nAll known Insidious Taurus malware samples listed within WildFire will be detectable by Prisma Cloud agents.\r\nPrisma Cloud continuously monitors for malicious traffic. By integrating the threat intelligence data from WildFire, Prisma\r\nCloud agents are able to detect and protect cloud virtual machines, container and serverless runtime environments from the\r\nexecution of malicious runtime operations originating from our customers' cloud environments.\r\nhttps://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nPage 5 of 6\n\nAdditional Resources\r\nJoint Cybersecurity Advisory: People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade\r\nDetection [PDF] – Cybersecurity and Infrastructure Security Agency (CISA)\r\nVolt Typhoon targets US critical infrastructure with living-off-the-land techniques – Microsoft Threat Intelligence\r\nPRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure –\r\nCybersecurity and Infrastructure Security Agency (CISA)\r\nIdentifying and Mitigating Living Off the Land Techniques [PDF] – Cybersecurity and Infrastructure Security\r\nAgency (CISA)\r\nU.S. government disrupts botnet People’s Republic of China used to conceal hacking of critical infrastructure – U.S.\r\nAttorney's Office, Southern District of Texas\r\nKV-Botnet: Don’t Call It A Comeback – Black Lotus Labs, Lumen\r\nSecure by Design Alert: Security Design Improvements for SOHO Device Manufacturers – Resources, Cybersecurity\r\nand Infrastructure Security Agency (CISA)\r\nRouters Roasting On An Open Firewall: The KV-Botnet Investigation – Black Lotus Labs, Lumen\r\nMAR-10448362-1.v1 Volt Typhoon – Analysis Report, Cybersecurity and Infrastructure Security Agency (CISA)\r\nVolt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days – SecurityScorecard\r\nUpdated May 26, 2023, at 3:27 p.m. PT.\r\nUpdated Feb. 14, 2024, at 2:25 p.m. PT.  \r\nUpdated Feb. 20, 2024, at 11:27 a.m. PT to add promotional offer.\r\nTable of Contents\r\nExecutive Summary\r\nAdversary Attack Methodology\r\nInterim Guidance\r\nUnit 42 Managed Threat Hunting Queries\r\nConclusion\r\nPalo Alto Networks Product Protections for Insidious Taurus\r\nNext-Generation Firewalls and Prisma Access With Advanced Threat Prevention\r\nPrisma Access\r\nCortex XSOAR\r\nCortex XDR and XSIAM\r\nCortex Xpanse\r\nCloud-Delivered Security Services for Next-Generation Firewall\r\nPrisma Cloud\r\nAdditional Resources\r\nRelated Articles\r\nPhantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite\r\nThreat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)\r\nSquidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nhttps://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/" ], "report_names": [ "volt-typhoon-threat-brief" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434262, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa9019b5ebe894fa5ef3a1365b8dbd33da6edb67.pdf", "text": "https://archive.orkl.eu/fa9019b5ebe894fa5ef3a1365b8dbd33da6edb67.txt", "img": "https://archive.orkl.eu/fa9019b5ebe894fa5ef3a1365b8dbd33da6edb67.jpg" } }