Skip to main content
Volt Typhoon: living-off-the-land in critical infrastructure operation cover
COMING SOONAdvancedPRO

Volt Typhoon: living-off-the-land in critical infrastructure

No malware, no ransomware, no payload to scan for, just native Windows binaries used in an abnormal sequence and a stolen administrator credential. A stealth operator plants a tiny web shell on a water utility's internet-facing host, dumps LSASS with a signed system DLL, routes C2 through a compromised home router, and exports the entire Active Directory database off the domain controller before clearing the logs. Work the Windows Security log, the endpoint process tree, and the perimeter traffic to separate the living-off-the-land activity from a heavy baseline of legitimate admin work.

1h 30m
7 tasks
150 points
Pro

Launches in 4 days

Jul 7, 2026

Tuesday, July 7, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

7 objectives unlock when this operation goes live.

1Find the quiet way in
2Name the planted page
3Catch the credential dump
4Trace the disguised channel
5Identify the directory theft
6Spot the cover-up
7Classify the credential-store theft

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 7, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever