🇨🇳Volt Typhoon
🇨🇳 Volt Typhoon is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 26 detection use cases to this actor across 100 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-05-07 to 2026-06-10.
crit 2
26Use cases
2Articles
100Techniques
4IOCs
Known aliases
Volt TyphoonVanguard PandaBronze SilhouetteVOLTZITEBRONZE SILHOUETTEDEV-0391UNC3236VoltziteInsidious TaurusDazedToad
All other tracked techniques
T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1003.003 · NTDST1005 · Data from Local SystemT1006 · Direct Volume AccessT1007 · System Service DiscoveryT1010 · Application Window DiscoveryT1012 · Query RegistryT1016 · System Network Configuration DiscoveryT1016.001 · Internet Connection DiscoveryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1027 · Obfuscated Files or InformationT1027.002 · Software PackingT1033 · System Owner/User DiscoveryT1036.005 · Match Legitimate Resource Name or LocationT1036.008 · Masquerade File TypeT1046 · Network Service DiscoveryT1047 · Windows Management InstrumentationT1049 · System Network Connections DiscoveryT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.004 · Unix ShellT1068 · Exploitation for Privilege EscalationT1069 · Permission Groups DiscoveryT1069.001 · Local GroupsT1069.002 · Domain GroupsT1070.004 · File DeletionT1070.007 · Clear Network Connection History and ConfigurationsT1071 · Application Layer ProtocolT1074 · Data StagedT1074.001 · Local Data StagingT1078 · Valid AccountsT1078.002 · Domain AccountsT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1090 · ProxyT1090.001 · Internal ProxyT1090.002 · External ProxyT1090.003 · Multi-hop ProxyT1098.001 · Additional Cloud CredentialsT1105 · Ingress Tool TransferT1112 · Modify RegistryT1113 · Screen CaptureT1120 · Peripheral Device DiscoveryT1124 · System Time DiscoveryT1133 · External Remote ServicesT1140 · Deobfuscate/Decode Files or InformationT1195.002 · Compromise Software Supply ChainT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1217 · Browser Information DiscoveryT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1497.001 · System ChecksT1505.003 · Web ShellT1518 · Software DiscoveryT1528 · Steal Application Access TokenT1552 · Unsecured CredentialsT1552.004 · Private KeysT1555 · Credentials from Password StoresT1555.003 · Credentials from Web BrowsersT1560.001 · Archive via UtilityT1566.002 · Spearphishing LinkT1569.002 · Service ExecutionT1570 · Lateral Tool TransferT1571 · Non-Standard PortT1572 · Protocol TunnelingT1573.001 · Symmetric CryptographyT1584.003 · Virtual Private ServerT1584.004 · ServerT1584.005 · BotnetT1584.008 · Network DevicesT1587.004 · ExploitsT1588.002 · ToolT1588.006 · VulnerabilitiesT1589 · Gather Victim Identity InformationT1589.002 · Email AddressesT1590 · Gather Victim Network InformationT1590.004 · Network TopologyT1590.006 · Network Security AppliancesT1591 · Gather Victim Org InformationT1591.004 · Identify RolesT1592 · Gather Victim Host InformationT1593 · Search Open Websites/DomainsT1594 · Search Victim-Owned WebsitesT1595.002 · Vulnerability ScanningT1596.005 · Scan DatabasesT1614 · System Location DiscoveryT1654 · Log EnumerationT1680 · Local Storage DiscoveryT1685.005 · Clear Windows Event Logs
Detection use cases (26)
Volt Typhoon (Vanguard Panda) NTDS.dit dump via ntdsutil IFM 'create full' Volt Typhoon (Voltzite/Vanguard Panda) netsh portproxy v4tov4 reverse-proxy establishment JDY-style outbound recon scanning originating from internal IoT / network appliances Outbound Tor (9001/9030/9050) from network appliance / IoT subnet — JDY C2 beaconing MIPS shell-script dropper on Linux edge device — JDY architecture-aware payload fetch CVE-2026-35616 exploitation attempt against edge SOHO/IoT devices — JDY initial access Beaconing — periodic outbound to small set of destinations Asset exposure — vulnerability matches article CVE(s) OAuth consent / suspicious app grant Phishing-link click correlated to endpoint execution Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Trusted vendor binary / installer launching unusual children CL-STA-1132 EarthWorm staging download from 146.70.100.69:8000/php_sess Malformed CL-STA-1132 attacker User-Agent (Mozilla/5.5 + Safari/532.31) 1Password activity from Tor exit node 1Password impossible-travel sign-in 1Password item exfiltration attempt 1Password vault export attempted Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command executionThreat-intel articles (2)
Tracked indicators
IP addresses (4)
136.0.8.48 146.70.100.69 149.104.66.84 67.206.213.86CVEs (2)
CVE-2026-0300 CVE-2026-35616