What is VOLT_TYPHOON_APT?
Volt Typhoon is a state-sponsored cyber actor that targets critical infrastructure. They use 'Living-off-the-Land' (LotL) techniques—using legitimate built-in administrative tools like PowerShell, wmic, and netsh—to blend in with normal system activity and maintain long-term undetected persistence.
Common Causes
- Compromised edge devices (SOHO routers, firewalls, VPN appliances)
- Use of stolen administrative credentials
- Lack of command-line logging and network telemetry monitoring
Step-by-Step Fix Guide
-
1
Enable detailed PowerShell script block logging (Event ID 4104)
-
2
Perform a full audit of built-in system accounts and active sessions
-
3
Reset all administrative credentials and domain trust settings
-
4
Decommission and replace compromised edge network routing hardware
Commands & Diagnostics
powershell.exe Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -MaxEvents 5 -ErrorAction SilentlyContinuewevtutil.exe qe Microsoft-Windows-PowerShell/Operational /c:5 /f:textStill Need Help?
Search our full database of 481+ documented PC errors for more solutions and step-by-step repair guides.
Search Error Database