Violet Typhoon (also known by several other names) is a China-linked espionage threat actor active since at least 2015, focusing on high-value targets such as governments, think tanks, media, NGOs, academia, and healthcare in East Asia, Europe, and North America. Their recent activity includes exploiting SharePoint zero-day vulnerabilities (e.g. under the “ToolShell” chain) to gain access to on-premises servers, install web shells, and exfiltrate sensitive information. Unlike ransomware gangs, their emphasis is on intelligence gathering rather than extortion.
Key risks: exposure of internal data and IP, persistence via infrastructure compromise, credential theft, and use in hybrid campaigns (where access enables other threat actors).
Aliases & Identification of Violet Typhoon
| Alias / Name | Notes / Source |
|---|---|
| APT31 | Common MITRE ATT&CK designation. |
| Zirconium | One of Microsoft’s “Typhoon” family tags. |
| Judgment Panda | Vendor alias in Microsoft’s threat actor naming documentation. |
| Chameleon | Reported in naming schemes alongside Judgment Panda. |
| WebFans | Less frequent, but appears in Microsoft alias lists. |
| Red Keres | Another name sometimes linked in vendor reports. |
— These multiple names reflect vendor alias fragmentation. Use cross-vendor mapping tables (e.g. Microsoft, MITRE) to correlate sightings and reporting.
Observed Tactics, Techniques & Procedures (TTPs) of Violet Typhoon
| MITRE Technique | Technique ID(s) | Observed Behavior | Key Indicators / Focus for Detection |
|---|---|---|---|
| Exploit Public-Facing Application | T1190 | Exploiting SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 etc.) to gain initial access. | Monitor POST requests to /_layouts/15/ToolPane.aspx, uploads of ASPX payloads (like spinstall0.aspx) via SharePoint. |
| Persistence | T1505.x (Web Shells), Scheduled Tasks | Installation of ASPX web shells; placement of malicious scripts in web roots; possibly scheduled tasks or services to maintain foothold. | Web root file scanning; unknown ASPX files; unusual scheduled tasks or DLL load via IIS worker process. |
| Credential Access | T1003 | Harvesting credentials via memory dump tools (like Mimikatz or equivalents); stealing saved MachineKey (cryptographic keys). | LSASS memory reads; access to machine key files; attempts to harvest keys from web-server config directories. |
| Discovery | T1082 / T1046 | Gathering system and network info; scanning internally; identifying further vulnerable systems. | Metadata queries to SharePoint; network scanning; lateral enumeration. |
| Exfiltration | T1041 | Exfiltration of files via web services, custom APIs, possibly over HTTPS to avoid detection. | Outbound traffic from compromised SharePoint servers; large file transfers; non-standard endpoints. |
Known Incidents & Impacted Organizations Involving Violet Typhoon
- National Nuclear Security Administration (U.S.) — The NNSA was among over 50 organizations compromised when a SharePoint zero-day (“ToolShell”) exploit campaign began around July 7, 2025. Systems connected to it were accessed via vulnerable on-prem SharePoint instances.
- A private university (U.S.) — This university was listed among the ~54 organizations Microsoft reported had been breached by China-linked actors exploiting SharePoint zero-day vulnerabilities, including Violet Typhoon.
- Federal health agency (U.S.) — One of the affected entities in the Microsoft/Eye Security reporting; compromised via SharePoint server flaws attributed to Violet Typhoon.
- California-based energy provider — Also named among the 54 orgs hit, showing that critical-infrastructure sectors are within Violet Typhoon’s target set.
Detection, Hunting & Defensive Recommendations for Violet Typhoon
- Patch & Harden: Immediately patch affected SharePoint versions; apply Microsoft’s advisories related to the relevant CVEs (including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771).
- Web Shell & Payload Hunting: Look for ASPX files or other unexpected script files in web-root directories, especially
spinstall0.aspxor variants. Scan IIS logs for anomalous POSTs to/_layouts/15/ToolPane.aspxorToolPaneendpoints. - Credential Access Monitoring: Detect LSASS memory dump attempts; monitor access to cryptographic key stores (MachineKey), certificate stores.
- Network Egress / Exfiltration Alerts: Watch for large outbound transfers from SharePoint or web server hosts; detect communication to unusual external endpoints.
- Least Privilege & Access Controls: Ensure admin privileges are minimized; use MFA; restrict who can deploy custom applications or scripts.
- Incident Playbooks & Tabletop Exercises: Include scenarios involving supply-chain/SharePoint exploits; ensure logs retention, forensic readiness, and outbreak response.
Strategic Implications & Risk Profile
- High impact, lower visibility: Because Violet Typhoon focuses on intelligence rather than destruction, breaches may go undetected for longer.
- Espionage focus: Organizations with political, academic, or policy roles are especially at risk. Also relevant are organizations with public infrastructure vulnerable to old CVEs.
- Persistent access: Stealing MachineKeys or installing web shells can give long-term access even after certain patches — patching is necessary but not sufficient.
Technical Appendix & Available IOCs
Publicly available IOCs are still limited. The following artifacts or information have been reported:
- Exploited vulnerability IDs: CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771 (used in “ToolShell” chain) linked with Violet Typhoon’s activity.
- Vendor-reported endpoints: POSTs to
/_layouts/15/ToolPane.aspx, uploads of payload script names likespinstall0.aspx(or similar with minor renames). - Behavioral indicators: attempts to steal MachineKey cryptographic material, default or weakly protected key stores.
- Alias mapping (names above) for threat intelligence correlation.
