
Volt Typhoon: living-off-the-land in critical infrastructure
No malware, no ransomware, no payload to scan for, just native Windows binaries used in an abnormal sequence and a stolen administrator credential. A stealth operator plants a tiny web shell on a water utility's internet-facing host, dumps LSASS with a signed system DLL, routes C2 through a compromised home router, and exports the entire Active Directory database off the domain controller before clearing the logs. Work the Windows Security log, the endpoint process tree, and the perimeter traffic to separate the living-off-the-land activity from a heavy baseline of legitimate admin work.
Launches in 4 days
Tuesday, July 7, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
7 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 7, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever