
Volt Typhoon
China-state actor pre-positioning in US critical infrastructure; operates KV Botnet for covert relay.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Is Volt Typhoon already inside US and allied power grids, waiting for an order to act?
Timeline for Volt Typhoon
Mentioned in: 86,644 Fortinet logins become a hit list
Cybersecurity: Threats and DefencesNorway joins the Salt Typhoon victim list
Cybersecurity: Threats and DefencesSixteen agencies put IOC extinction in print
Cybersecurity: Threats and DefencesWhat is Volt Typhoon and what does it want inside US infrastructure?
What are living-off-the-land techniques and why does Volt Typhoon use them?
What is the KV Botnet used by Volt Typhoon?
Background
Volt Typhoon is a China-nexus state-sponsored cyber actor first publicly disclosed by Microsoft and CISA in May 2023, though Western intelligence assessments date its activity to at least mid-2021. The group's defining characteristic is its reliance on living-off-the-land (LOTL) techniques: using only built-in Windows utilities (Netsh portproxy, LSASS credential dumping, Ntdsutil, PowerShell) rather than custom malware, making it uniquely difficult to distinguish from legitimate administrator activity. Volt Typhoon targets communications, manufacturing, utilities, transport, construction, maritime, government, IT, and education sectors.
The actor routes its intrusion traffic through the KV Botnet, a covert network of compromised end-of-life Cisco and Netgear routers that lack manufacturer security patches and cannot be updated. This relay layer makes Volt Typhoon's true origin invisible to network defenders looking at connection logs. Microsoft assessed in 2023 that Volt Typhoon is positioning itself to disrupt critical communications infrastructure between the United States and the Asia-Pacific region in any future crisis — the clearest public statement that this actor's mission is sabotage pre-positioning rather than intelligence collection.
The 16-agency joint advisory of 23 April 2026 named Volt Typhoon alongside Flax Typhoon as one of two China-nexus actors whose infrastructure is managed through Integrity Technology Group. The advisory explicitly identified KV Botnet as the instrument Volt Typhoon uses for US critical national infrastructure pre-positioning — formally confirming in allied institutional voice what the FBI had disclosed in 2024 when it disrupted an earlier version of the botnet. The advisory also confirmed the IOC extinction problem: Volt Typhoon cycles through new compromised edge devices faster than defenders can block them, rendering traditional indicator-based defences insufficient.
For UK and allied defenders, the advisory's significance extends beyond attribution. By naming Volt Typhoon's CNI pre-positioning explicitly, the 16 agencies are signalling that the threat model has graduated from espionage to sabotage readiness — the actor is believed to already be embedded in US CNI awaiting an order to activate disruptive capability. The advisory recommendations (edge-device baselining, dynamic threat feeds, Cyber Essentials adoption) are calibrated to this higher threat tier.