Threat Actor Profile

Vanguard Panda

Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, DEV-0391, and several other aliases, is a Chinese state-sponsored Advanced Persistent Threat (APT) group. Active since at least mid-2021, this group specializes in cyber espionage and critical infrastructure reconnaissance. By leveraging stealth-based "living-off-the-land" strategies and exploiting known vulnerabilities, Vanguard Panda poses a significant global cybersecurity risk.

Threat Actor Profile

Vanguard Panda

Country of Origin

Vanguard Panda is attributed to the People’s Republic of China (PRC). Its operations align with cyber strategies commonly associated with Chinese nation-state activities, including geopolitical objectives and positioning for potential future conflicts.

Members

The exact number of members within Vanguard Panda is not publicly documented. The group is believed to consist of highly skilled operators adept at system penetration, reconnaissance, and long-term persistence within networks. They operate under various aliases, such as UNC3236 and G1017.

Leadership

The leadership of Vanguard Panda remains unknown. No public information identifies specific individuals or the hierarchical structure within the group. However, the sophistication and alignment of their operations strongly suggest ties to Chinese intelligence agencies or government-backed entities.

Vanguard Panda TTPs

Tactics

Vanguard Panda primarily engages in cyber espionage focused on data exfiltration, credential harvesting, and reconnaissance within strategically critical sectors. Their long-term goal often involves pre-positioning within critical infrastructure for potential disruptions during geopolitical events.

Techniques

Initial Access

Exploiting internet-facing vulnerabilities in tools like Zoho ManageEngine (e.g., CVE-2021-40539).
Deploying custom server-side exploits in environments such as Apache Tomcat.

Persistence & Lateral Movement

Using web shells, including backdoored versions of tomcat-websocket.jar, for persistence.
Employing legitimate tools like PowerShell, WMI, and PsExec for stealthy lateral movement.

Reconnaissance

Conducting internal scans to enumerate processes, domain trusts, and network shares while mapping internal systems.

Operational Security

Avoiding detection by relying on existing network tools instead of custom malware.

Procedures

The group’s procedures often involve precise execution of enumeration commands upon gaining access, leveraging their living-off-the-land capabilities to obscure malicious intent.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

KV Botnet Disruption (Dec 2023 – Jan 2024): U.S. federal agencies disrupted a significant botnet operation linked to Vanguard Panda that leveraged compromised SOHO routers.
LELWD Incident (Feb 2023 – Nov 2023): This utility company in Massachusetts experienced an extended network intrusion lasting nearly 300 days.
Versa Networks SD-WAN Exploit (Mid-2024): Exploited a zero-day vulnerability in Versa Director, targeting MSPs and ISPs to plant malware and escalate internal access.

Law Enforcement & Arrests

No arrests tied to Vanguard Panda have been publicly reported. However, collaborations between agencies like the FBI, NSA, and CISA have been pivotal in detecting and disrupting recent operations.

How to Defend Against Vanguard Panda

PATCH vulnerable systems like Zoho ManageEngine and out-of-date routers to prevent exploitation.

SEGMENT critical IT and OT networks with strict access control policies.

MONITOR network logs, especially for unusual activity like anomalous web server POST requests.

HUNT for web shell implants hidden in identity management or help desk directories.

ENFORCE credential hygiene and implement multi-factor authentication (MFA).

PARTICIPATE in threat intelligence sharing networks to stay updated on emerging IOCs.

Huntress Managed SIEM can assist by monitoring for known techniques, providing IoC tracking, and alerting teams of suspicious activity within their environments.

Try Huntress for Free

Schedule a Demo

References

https://www.microsoft.com/en-us/security/business/advanced-threat-analytics/volt-typhoon

https://www.cisa.gov/news-events/news/cisa-discusses-volt-typhoon-group

https://www.mandiant.com/resources/volt-typhoon-threat-intelligence

https://www.recordedfuture.com/volt-typhoon-applied-cyber-espionage

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free