Volt Typhoon
PRC state-sponsored actor focused on pre-positioning in U.S. critical infrastructure (communications, energy, transportation, water). Heavy use of living-off-the-land techniques and small-office/home-office router botnets to obscure command-and-control. Joint CISA/NSA/FBI advisory in 2024 assessed the activity as preparation for disruptive or destructive cyberattacks against U.S. infrastructure in a crisis.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
4 events- CompromiseHigh2024-08-22·Lumen Black Lotus Labs
Volt Typhoon exploits Versa Director zero-day (CVE-2024-39717)
Lumen Black Lotus Labs disclosed that Volt Typhoon had been exploiting a zero-day in Versa Director (CVE-2024-39717) since at least 12 June 2024 to drop a custom Java web shell, VersaMem, on internet-facing SD-WAN management appliances at U.S. ISPs and MSPs and one non-U.S. provider. The web shell harvested credentials in process memory to enable downstream access — consistent with Volt Typhoon's pattern of stealthy pre-positioning in critical-infrastructure adjacent networks.
zero-dayispsd-wanliving-off-the-land - AdvisoryCritical2024-02-07·CISA
Joint CISA/NSA/FBI advisory AA24-038A on Volt Typhoon
CISA, NSA, FBI, and partners assessed with high confidence that Volt Typhoon's pre-positioning in U.S. critical infrastructure is intended to enable disruptive or destructive cyberattacks in the event of a major crisis or conflict — a notable shift in stated PRC intent.
aa24-038acritical-infrastructurepre-positioning - AnnouncementHigh2024-01-31·U.S. Department of Justice
DOJ disrupts KV-botnet of compromised SOHO routers
DOJ and FBI announced a court-authorized operation that removed Volt Typhoon malware from hundreds of U.S.-based end-of-life Cisco and NetGear SOHO routers that had been co-opted into the KV-botnet used to obscure the actor's operational traffic.
botnet-takedownsoho-routerkv-botnet - ReportCritical2023-05-24·Microsoft Threat Intelligence
Volt Typhoon publicly named, targeting U.S. critical infrastructure
Microsoft publicly disclosed Volt Typhoon, a PRC state-sponsored actor pre-positioning in U.S. critical infrastructure networks — communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education — with heavy use of living-off-the-land binaries.
lotlcritical-infrastructurepre-positioning
Indicators of compromise
1 indicator| Type | Value | First seen | Source |
|---|---|---|---|
| Name | family · KV-botnet Operator-named botnet family running on compromised end-of-life SOHO routers (predominantly Cisco RV320/325, NETGEAR ProSAFE, Axis IP cameras). Used as obfuscation infrastructure for Volt Typhoon operations; the DOJ disrupted the network in Operation Dying Ember (announced 31 Jan 2024). | Jan 30, 2024 | CISA |
Related actors
shared ATT&CK techniques- CN · ChinaAPT31 shared technique
- ?? · UnknownFIN71 shared technique
- CN · ChinaFlax Typhoon1 shared technique
- CN · ChinaSalt Typhoon1 shared technique
- ?? · UnknownScattered Spider1 shared technique
- RU · RussiaTurla1 shared technique
References
cite this page
Threat Intel Tracker. (2026-05-19). Volt Typhoon — actor profile. Retrieved from https://threatintel.local/actors/volt-typhoon