THREATOPS Actor Dossier
LIVE ← Dashboard

Volt Typhoon

G10170 reports
aliases · Volt Typhoon · BRONZE SILHOUETTE · Vanguard Panda · DEV-0391 · UNC3236 · Voltzite · Insidious Taurus · DazedToad
Export dossier:
0
Reports
0
Techniques
0
Tactics
0
Countries
n/a
Hunt coverage
8
Aliases

Analyst assessment — key judgments

  • No recorded activity: 0 report(s) in last 30d vs 0 prior (+0%).
  • Assessment confidence: n/a.

Activity & trend

InactiveLast 30d: 0 vs 0 prior (+0%)
0
7d
0
30d
0
90d
0
All
0.0
Rpts/wk
Reporting timeline · 12 months

Vulnerabilities in this actor's reporting · 1

Overview

Analyst triage
Intelligence summary

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023). The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.(Citation: DOJ KVBotnet 2024).

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. (Citation: Dragos 2025 Year in Review)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation
            • No ATT&CK techniques associated yet.

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected