^[4][1]

^[1]

^[1]

^[1]

^[1]

^[1]

Volt Typhoon usedKV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.^[5]

Versa Director Zero Day Exploitation was conducted byVolt Typhoon between June and August 2024.^[7]

Volt Typhoon has executednet user andquser to enumerate local account information.^[1]

Volt Typhoon has runnet group /dom andnet group "Domain Admins" /dom in compromised environments for account discovery.^[3][4]

KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.^[5]

Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.^[7]

Volt Typhoon has collected window title information from compromised systems.^[1]

Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.^[4][1]

Volt Typhoon has targeted the browsing history of network administrators.^[1]

Volt Typhoon has used PowerShell including for remote system discovery.^[2][3][1]

Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.^[2][3][4][1]

Volt Typhoon has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can leverage command shells including Z Shell (zsh).^[1]

KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.^[5]

Volt Typhoon has compromised Virtual Private Servers (VPS) to proxy C2 traffic.^[1]

Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.^[4][1]

Volt Typhoon Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.^[1]

Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.^[2][3]

Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.^[7]

KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.^[5]

Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.^[3]

Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.^[1]

Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and usedWevtutil to extract event log information.^[3][4][1]

Volt Typhoon has staged collected data in password-protected archives.^[2]

Volt Typhoon has saved stolen files including thentds.dit database and theSYSTEM andSECURITY Registry hives locally to theC:\Windows\Temp\ directory.^[3][4]

Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation viacertutil.^[4]

Versa Director Zero Day Exploitation involved the development of a new web shell variant,VersaMem.^[7]

Volt Typhoon has exploited zero-day vulnerabilities for initial access.^[1]

Volt Typhoon has executed the Windows-nativevssadmin command to create volume shadow copies.^[1]

Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.^[4]

Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.^[7]

KV Botnet Activity involves managing events on victim systems vialibevent to execute a callback function when any running process contains the following references in their path without also having a reference tobioset: busybox, wget, curl, tftp, telnetd, or lua. If thebioset string is not found, the related process is terminated.^[5]

Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.^[4][1]

Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.^[7]

Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.^[1]

Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions.^[1]

Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.^[1]

KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage:\/usr\/sbin\/,\/usr\/bin\/,\/sbin\/,\/pfrm2.0\/bin\/,\/usr\/local\/bin\/.^[5]

KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.^[5]

Volt Typhoon has conducted pre-compromise reconnaissance for victim host information.^[1]

Volt Typhoon has gathered victim identify information during pre-compromise reconnaissance.^[1]

Volt Typhoon has targeted the personal emails of key network and IT staff at victim organizations.^[1]

Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization’s network.^[1]

Volt Typhoon has conducted extensive reconnaissance of victim networks including identifying network topologies.^[1]

Volt Typhoon has identified target network security measures as part of pre-compromise reconnaissance.^[1]

Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.^[1]

Volt Typhoon has identified key network and IT staff members pre-compromise at targeted organizations.^[1]

KV Botnet Activity leveraged a bind mount to bind itself to the/proc/ file path before deleting its files from the/tmp/ directory.^[5]

KV Botnet Activity used various scripts to remove or disable security tools, such ashttp_watchdog andfirewallsd, as well as tools related to other botnet infections, such asmips_ff, on victim devices.^[5]

Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.^[1]

Volt Typhoon has runrd /S to delete their working directories and deleted systeminfo.dat fromC:\Users\Public\Documentsfiles.^[4][1]

KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.^[5]

Volt Typhoon has inspected server logs to remove their IPs.^[4]

Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.^[1]

KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.^[5]

Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.^[1]

Volt Typhoon has copied web shells between servers in targeted environments.^[4]

Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.^[2][3][4][1]

Volt Typhoon has usedwevtutil.exe and the PowerShell commandGet-EventLog security to enumerate Windows logs to search for successful logons.^[3][1]

KV Botnet Activity installation steps include first identifying, then stopping, any process containing[kworker\/0:1], then renaming its initial installation stage to this process name.^[5]

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.^[3][4][1]

Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.^[4]

Volt Typhoon has usednetsh to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).^[1]

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery.^[1]

Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.^[7]

KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.^[5]

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.^[5]

Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.^[1]

Volt Typhoon has used legitimate network and forensic tools and customized versions of open-source tools for C2.^[2][1]

Volt Typhoon has used publicly available exploit code for initial access.^[1]

Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.^[2][1]

Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.^[2][3][4][1]

Volt Typhoon has obtained victim's screen dimension and display device information.^[1]

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery.^[1]

Volt Typhoon has runnet localgroup administrators in compromised environments to enumerate accounts.^[3]

Volt Typhoon has runnet group in compromised environments to discover domain groups.^[4]

Volt Typhoon has enumerated running processes on targeted systems including through the use ofTasklist.^[2][4][1]

Scripts associated withKV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.^[5]

KV Botnet Activity final payload installation includes mounting and binding to the\/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.^[5]

Volt Typhoon has used compromised devices and customized versions of open source tools such asFRP (Fast Reverse Proxy), Earthworm, andImpacket to proxy network traffic.^[2][3][1]

Volt Typhoon has used the built-innetshport proxy command to create proxies on compromised systems to facilitate access.^[2][1]

Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.^[1]

Volt Typhoon has queried the Registry on compromised systems,reg query hklm\software\, for information on installed software including PuTTY.^[3][1]

Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.^[1]

Volt Typhoon has used multiple methods, includingPing, to enumerate systems on compromised networks.^[2][4]

Volt Typhoon has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries.^[1]

Volt Typhoon has used FOFA, Shodan, and Censys to search for exposed victim infrastructure.^[1]

Volt Typhoon has conducted pre-compromise web searches for victim information.^[1]

Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.^[1]

Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.^[4]

Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.^[7]

Volt Typhoon has queried the Registry on compromised systems for information on installed software.^[3][1]

KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.^[5]

Volt Typhoon has used native tools and processes including living off the land binaries or "LOLBins" to maintain and expand access to the victim networks.^[1]

KV Botnet Activity includes use of native system tools, such asuname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.^[5]

Volt Typhoon has obtained the victim's system current location.^[1]

Volt Typhoon has executed multiple commands to enumerate network topology and settings includingipconfig,netsh interface firewall show all, andnetsh interface portproxy show all.^[3]

KV Botnet Activity gathers victim IP information during initial installation stages.^[5]

Volt Typhoon has employedPing to check network connectivity.^[1]

Volt Typhoon has usednetstat -ano on compromised hosts to enumerate network connections.^[3][4]

Volt Typhoon has used public tools and executed the PowerShell commandGet-EventLog security -instanceid 4624 to identify associated user and computer account names.^[3][4][1]

Volt Typhoon has usednet start to list running services.^[1]

Volt Typhoon has obtained the victim's system timezone.^[1]

Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.^[1]

Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.^[1]

Volt Typhoon relies primarily on valid credentials for persistence.^[1]

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.^[2][4][1]

Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.^[2]

Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.^[2][3][4][1]