MixMode Threat Research is a dedicated contributor to MixMode.ai’s blog, offering insights into the latest advancements and trends in cybersecurity. Their posts analyze emerging threats and deliver actionable intelligence for proactive digital defense.
New threat intelligence confirms what many infrastructure leaders have long feared: Chinese state-sponsored threat groups are not only capable of infiltrating U.S. critical systems—they already have. Volt Typhoon, Salt Typhoon, and APT41 are executing long-term, undetected operations within utilities, transportation networks, telecom platforms, and software supply chains.
These aren’t theoretical threats. This is an active campaign targeting the systems Americans rely on for water, power, safety, and communication.
Download the full threat research report to understand the scope, tactics, and implications of these breaches—and what to do next.
How Volt Typhoon Avoided Detection for Nearly a Year
Volt Typhoon has been active since at least 2021, embedding itself in critical infrastructure providers using tools already present in the environment, like PowerShell, WMI, and command-line utilities. By mimicking legitimate admin activity, they avoid detection by traditional, signature-based security tools.
A Massachusetts utility provider unknowingly hosted Volt Typhoon operators for nearly a year. They gained access via known or zero-day vulnerabilities, escalated privileges, and moved laterally within the network. In Guam, another confirmed breach triggered national concern due to the island’s strategic role in U.S. Navy operations.
Volt Typhoon’s techniques are optimized for stealth, persistence, and access to operational technology (OT) systems, making long-term sabotage a real possibility.
Salt Typhoon’s Hijack of U.S. Telecom Surveillance Systems
In 2024, Salt Typhoon was found inside the systems of nine major U.S. telecom companies. These weren’t just standard breaches—they penetrated lawful intercept platforms, which are used to comply with federal surveillance orders. In effect, Salt Typhoon gained access to tools meant for law enforcement and turned them against U.S. citizens and government officials, including then-President-elect Donald Trump.
This group leveraged a complex toolkit, including BITSAdmin, CertUtil, SparrowDoor, and PowerShell-based scripts, while disguising command-and-control traffic as regular activity.
APT41: State Espionage Meets Profit-Driven Cybercrime
APT41 stands apart due to its dual mission: conducting government espionage while also executing financially motivated attacks. Known as Brass Typhoon and Wicked Panda in various contexts, this group has compromised software development pipelines, healthcare providers, and cloud-based platforms.
Their toolkit is extensive, ranging from DNS-based C2 channels to obfuscated PowerShell payloads, and from exploiting VPN appliances to deploying persistence mechanisms inside developer environments. They are one of the few groups actively targeting both operational infrastructure and commercial entities.
Their use of signed binaries, stealthy lateral movement, and obfuscation techniques continues to challenge legacy detection tools.
The Lag in U.S. Infrastructure Defense
PRC threat actors are outpacing U.S. critical infrastructure cybersecurity capabilities—not just in tools, but in agility. Procurement delays, slow patching cycles, and legacy compliance systems are hampering our ability to respond. Meanwhile, attackers are using AI to rewrite malware on demand and test defenses with speed.
At the same time, many infrastructure systems still rely on tools that can only detect threats with known signatures, rendering them ineffective against low-and-slow campaigns that evolve in real time.
The threat actors are already inside. The question now is whether organizations can identify and contain them before real-world impacts occur.
MixMode’s Approach to Detecting PRC-Backed Intrusions
MixMode was designed to detect the undetectable. Unlike tools that rely on known indicators, MixMode uses real-time, unsupervised AI to establish and evolve behavioral baselines unique to each environment. It observes networks passively and out-of-band, without relying on traditional querying or scanning.
This makes MixMode especially effective at identifying:
- Vendor login anomalies and reconnaissance linked to Volt Typhoon
- Irregular encrypted traffic suggesting certificate misuse by Salt Typhoon
- Unusual developer activity and credential elevation patterns tied to APT41
- Protocol misuse or OT credential compromise not flagged by legacy tools
Because MixMode doesn’t rely on rules or CVEs, it can detect novel threats, zero-days, and new techniques as they emerge, not after the fact.
Recommendations for Infrastructure Leaders
To reduce exposure to these threats, the report outlines critical steps for infrastructure organizations:
- Separate IT and OT systems physically or through air gaps
- Enforce multifactor authentication, especially for vendor and privileged accounts
- Eliminate privileged credentials stored on endpoints
- Deploy continuous behavioral monitoring tools with proven success against APT tactics
- Conduct regular access audits, review session logs, and establish strict time-based access controls
- Upgrade or isolate legacy systems that can no longer be patched
Technology Must Catch Up—Now
Chinese APT groups have proven they can maintain long-term, undetected access inside U.S. infrastructure systems. They are stealthy, resourced, and far ahead in adopting AI-driven cyber techniques. Their goals are not limited to reconnaissance—they include the ability to disable infrastructure on demand.
MixMode was purpose-built to detect the types of threats described in this report. With passive, real-time detection across both IT and OT systems, MixMode gives infrastructure defenders a critical edge—identifying attacks early and responding before systems are compromised.
Download the full report: Volt Typhoon, Salt Typhoon & APT41—This Is No Longer a Drill. Understand what’s already happened. See what’s coming next. Equip your team to respond.