Threat actor · all actors
Volt TyphoonG1017 state
🇨🇳 CN · PLA
aka Volt Typhoon, BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus, DazedToad
Last updated: 2026-07-03
About this actor
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023). The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.(Citation: DOJ KVBotnet 2024). Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to [Volt Typhoon](https://attack.mitre.org/groups/G1017), also tracked as VOLTZITE, for follow-on operations. (Citation: Dragos 2025 Year in Review)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 2 CVE published
- 2025 — 2 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2025-64119 | 7.0 | 9.3 | 0.0036 | 2026-01-02 | see CVE |
CVE-2025-0283 | 6.0 | 7.0 | 0.4955 | 2025-01-08 | see CVE |
CVE-2025-7746 | 3.5 | 5.3 | 0.0040 | 2025-09-09 | see CVE |
CVE-2026-22813 | 3.5 | 6.1 | 0.0091 | 2026-01-12 | see CVE |
T1003T1003.001T1003.003T1005T1006T1007T1010T1012T1016T1016.001T1018T1021T1021.001T1027T1027.002T1033T1036T1036.005T1036.008T1046T1047T1049T1056T1056.001T1057T1059T1059.001T1059.003T1059.004T1068T1069T1069.001T1069.002T1070T1070.004T1070.007T1074T1074.001T1078T1078.002T1083T1087T1087.001T1087.002T1090T1090.001T1090.003T1105T1112T1113T1120T1124T1133T1140T1190T1217T1218T1497T1497.001T1505T1505.003T1518T1552T1552.004T1555T1555.003T1560T1560.001T1570T1573T1573.001T1584T1584.003T1584.004T1584.005T1584.008T1587T1587.004T1588T1588.002T1588.006T1589T1589.002T1590T1590.004T1590.006T1591T1591.004T1592T1593T1594T1596T1596.005T1614T1654T1680T1685T1685.005
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 43 / 98 | 44% |
CM-6 | 38 / 98 | 39% |
CM-2 | 33 / 98 | 34% |
AC-3 | 31 / 98 | 32% |
SI-3 | 30 / 98 | 31% |
AC-6 | 29 / 98 | 30% |
CM-7 | 29 / 98 | 30% |
AC-2 | 28 / 98 | 29% |
CA-7 | 25 / 98 | 26% |
SI-7 | 23 / 98 | 23% |
AC-5 | 19 / 98 | 19% |
SC-7 | 19 / 98 | 19% |
AC-4 | 17 / 98 | 17% |
IA-2 | 17 / 98 | 17% |
RA-5 | 17 / 98 | 17% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- MuddyWater 1 shared CVEs
- Gamaredon Group 1 shared CVEs
- Kimsuky 1 shared CVEs
Similar actors
Similar TTPs
- Operation Wocao 0.44
- OilRig 0.33
- Chimera 0.32
- FIN13 0.32
- Sandworm Team 0.30
Overlapping CVEs
- Gamaredon Group 0.25
- MuddyWater 0.20
- Mustang Panda 0.20
- Kimsuky 0.17
Active in same years
- SharePoint ToolShell Exploitation 2.00
- Kimsuky 2.00
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00