The modus operandi
Volt Typhoon’s strategy is defined by its resilience and adaptability. Instead of retreating when detected, the group intensifies its foothold, exploiting long-overlooked vulnerabilities in legacy Cisco RV320/325 and Netgear ProSafe routers.
The PRC-backed hackers’ botnet infrastructure is built to avoid detection. They use servers across Europe and Asia-Pacific to mask their command-and-control (C2) operations. The group’s strategy includes hiding traffic through network providers in countries such as the Netherlands, Latvia, and Germany, the report said.
“Every layer of Volt Typhoon’s infrastructure is designed to blend malicious activities into everyday operations, making them difficult to detect and even harder to remove — especially in sectors like governments and critical infrastructure that still depend on outdated technology,” the report added.