WARLOCK-INDEX UNCLASSIFIED//OPEN SOURCE Strategic Research Corpus & Knowledge Arsenal

LOCAL CORPUS TERMINAL

STATUS: ONLINE

MODE: READ-ONLY

UPDATED:

Source Packet Collections Source Packets docs/collections/source-packets/indo-pacific-adversary-posture/2026-06-18T1213Z-prc-apt-typhoon-label-crosswalk-source-packet.md
Source PacketCollectionsSource PacketsOfficial Source

PRC APT/Typhoon Label Crosswalk And Advisory Refresh Source Packet

PRC cyber labels should be treated as dated source labels, not as a single normalized alias encyclopedia. The accessible official record in this pass supports a controlled crosswalk across several label families:

Review Queue Full Index

UNCLASSIFIED//OPEN SOURCE

Source Packet ID: WI-SOURCEPACKET-PRC-APT-TYPHOON-2026-0001

Prepared UTC: 2026-06-18T12:13:59Z

Information cutoff UTC: 2026-06-18T12:13:59Z

Source base: FBI China cyber threat overview and dated FBI cyber alerts; DOJ January 31, 2024 Volt Typhoon / KV Botnet disruption release; DOJ March 5, 2025 i-Soon / APT27 charging release; Treasury January 17, 2025 Salt Typhoon sanctions release; OFAC cyber-related sanctions source route; CISA, NSA, FBI, FCC, State Rewards for Justice, and allied cyber-center source families; existing WARLOCK-INDEX PRC cyber and critical-infrastructure defensive source packet, Salt Typhoon telecommunications defensive source note, China/PLA source tracker, cyber nation-state actor/APT tracker, official threat-source tracker, source registers, coverage map, and global actor-domain assimilation matrix.

Analytic confidence: High for the accessible FBI, DOJ, and Treasury page identities and for source-class separation. Moderate for exact CISA, NSA, FCC, and allied advisory page-level extraction because some direct advisory routes remain access-caveated or dynamic in this environment. Low for any claim that would merge private-sector aliases, vendor labels, or technical behavior into official attribution without a dated source-class note.

Purpose: Create a safe PRC APT/Typhoon label crosswalk that records which public source uses which label, what source class supports it, and how later WARLOCK-INDEX products should route PRC cyber actor language without reproducing technical tradecraft.

Boundary: Strategic defensive source organization only. This packet does not provide exploit steps, commands, indicators, vulnerability lists, malware behavior, device guidance, scanning procedures, credential methods, lawful-intercept detail, provider-specific security findings, victim lists, network diagrams, sanctions-evasion guidance, investigative direction, or operational cyber guidance.

Bottom Line

PRC cyber labels should be treated as dated source labels, not as a single normalized alias encyclopedia. The accessible official record in this pass supports a controlled crosswalk across several label families:

  1. FBI's China cyber overview is the source hub for PRC cyber warning chronology and dated FBI alerts.
  2. FBI and Treasury both support a Salt Typhoon source lane, but the FBI source route, Treasury sanctions source route, Senate oversight route, and CISA/NSA/FBI advisory route have different evidentiary roles.
  3. DOJ's January 31, 2024 disruption release carries Volt Typhoon as a private-sector label in a law-enforcement source event and should remain tied to that source class.
  4. DOJ's March 5, 2025 i-Soon charging release supports APT27 and a DOJ-listed private-sector alias lane for that case, but allegations, company links, and aliases should not be generalized beyond the source.
  5. FBI alert titles support additional PRC source routes, including APT40, PRC-linked router/IoT activity, BADBAZAAR and MOONSHINE, and broader Chinese state-sponsored actor warning language, without copying technical content into WARLOCK-INDEX.

The next PRC cyber work should refresh exact CISA, NSA, FBI, FCC, and allied advisory pages where access allows, but this packet is enough to stop broader products from laundering APT labels into unqualified attribution.

Source Ledger

Source familyPublisherDate or access statePrimary valueLimits
FBI China cyber threat overviewFederal Bureau of InvestigationAccessed 2026-06-18FBI source hub for China cyber framing and dated alert routingOverview route; not a complete actor dossier or alias authority
FBI countering Chinese state-sponsored actors global espionage advisoryFBIPublished 2025-08-27; page route accessibleSource route for broad "Chinese state-sponsored actors" language and global espionage-system warning titlePDF/detail extraction still requires a separate page-level pass; no technical extraction
FBI People's Republic of China cyberthreat activity alertFBIPublished 2025-06-30; page route accessibleSource route for broad PRC cyberthreat activity title and FBI alert chronologyPage route only in this pass; no detailed extraction
FBI Salt Typhoon telecommunications public service announcementFBIPublished 2025-04-24; page route accessibleFBI source route for PRC-affiliated activity publicly tracked as Salt Typhoon and telecommunications source treatmentDo not extract tip mechanics, victim/provider detail, or technical guidance
FBI BADBAZAAR and MOONSHINE alertFBIPublished 2025-04-09; page route accessibleSource route for spyware/civil-society warning title connected to Uyghur, Taiwanese, and Tibetan groupsTitle/source metadata only until a safe page-level pass; no malware detail
FBI Beijing leveraging freelance hackers and information-security companies alertFBIPublished 2025-03-05; page route accessibleFBI source route for PRC government use of freelance hackers, information-security companies, MSS/MPS framing, and i-Soon public warningNot proof that every private-sector alias is official attribution; no technical detail
DOJ i-Soon / APT27 charging releaseDepartment of JusticePublished 2025-03-05; accessibleLegal-action source for i-Soon, MPS/MSS framing, APT27, and DOJ-listed private-sector aliases in that caseAllegations and legal source event; no intrusion details or technical procedures
Treasury Salt Typhoon sanctions releaseTreasury / OFACPublished 2025-01-17; accessibleSanctions source route for Salt Typhoon, Sichuan Juxinhe, Yin Kecheng, and cross-references to other PRC cyber sanctions routesSanctions source, not a complete incident report or technical advisory
FBI enhanced visibility and hardening guidance for communications infrastructureFBIPublished 2024-12-03; page route accessibleFBI route for communications-infrastructure defensive advisory source family tied to Salt Typhoon follow-on workNo hardening steps, device guidance, or provider-specific details extracted
FBI PRC-linked routers and IoT botnet operations alertFBIPublished 2024-09-18; page route accessibleSource route for PRC-linked actor language and botnet warning titleNo device, indicator, router, or botnet operation detail
FBI APT40 advisoryFBIPublished 2024-07-08; page route accessibleSource route for APT40 and PRC MSS advisory title languageNo tradecraft extraction or alias expansion without page-level controls
FBI PRC state-sponsored actors critical-infrastructure alertFBIPublished 2024-02-07; page route accessibleSource route for PRC state-sponsored critical-infrastructure access warning titleNo persistence, sector, or technical detail extracted
FBI insecure SOHO-router exploitation alertFBIPublished 2024-01-31; page route accessibleSource route connected to malicious cyber actors exploiting insecure SOHO routers and the Volt Typhoon source familyNo vulnerable-device or exploitation detail
DOJ Volt Typhoon / KV Botnet disruption releaseDepartment of JusticePublished 2024-01-31; archived page accessibleLaw-enforcement source event carrying Volt Typhoon as a private-sector label and PRC state-sponsored critical-infrastructure framingCourt-authorized disruption source; no botnet, victim, or remediation mechanics
CISA, NSA, FBI joint advisory source familyCISA, NSA, FBI, and partnersActive source route; direct pages remain page-level follow-onPrimary intended advisory family for PRC defensive advisories and co-seal agency listsExtract only titles, dates, issuing agencies, actor labels, and high-level themes
OFAC cyber-related sanctions routeOffice of Foreign Assets ControlActive source routeCurrent route for cyber-related designations and follow-on PRC cyber sanctions statusLegal/status source only; no sanctions advice or evasion discussion
State Rewards for Justice cyber routeDepartment of State / Rewards for JusticeActive source routeReward-source route for foreign malicious cyber activity against U.S. critical infrastructureDo not reproduce reporting mechanics or investigative guidance
Allied cyber-center advisory routesUK, Canada, Australia, New Zealand, Japan, NATO/EU where capturedActive source-family routeCross-check lane for allied PRC cyber warnings, co-seal advisories, and national threat reportsAllied labels are not interchangeable with U.S. legal, sanctions, or advisory source classes

Label Crosswalk

Label or source phraseFirst source captured in this packetSource classWARLOCK-INDEX treatmentFollow-on control
PRC / China state-sponsored / Chinese state-sponsored actorsFBI China overview; FBI 2025 global espionage advisory routeOfficial advisory phraseCountry/state-actor frame; do not equate to one named APTRefresh exact FBI and joint-advisory pages before strengthening chronology
Salt TyphoonFBI April 24, 2025 PSA; Treasury January 17, 2025 sanctions releaseOfficial advisory/legal label by source laneTelecommunications and communications-infrastructure source laneCross-read Salt Typhoon note, Treasury/OFAC status, CISA/NSA/FBI advisory routes, FCC/Senate oversight
Volt TyphoonDOJ January 31, 2024 disruption releaseLaw-enforcement event carrying a private-sector labelCritical-infrastructure/pre-positioning source lane tied to DOJ's public releaseUse as DOJ-described source language unless a direct advisory independently uses the label
APT40FBI July 8, 2024 advisory titleOfficial advisory title and PRC MSS source routePRC MSS advisory source lanePage-level extraction needed before alias or behavior expansion
APT27DOJ March 5, 2025 i-Soon charging releaseLegal-action labeli-Soon / contract-hacker / PRC law-enforcement and intelligence-service source lanePreserve allegations and source class; do not generalize case details
Silk Typhoon and other DOJ-listed private-sector aliases for APT27DOJ March 5, 2025 i-Soon charging releaseDOJ-listed private-sector alias laneAlias table support only with DOJ source noteDo not treat as independent official attribution without additional source
Flax TyphoonTreasury January 17, 2025 Salt Typhoon sanctions release cross-referenceSanctions-source routeSeparate PRC malicious cyber activity source routeFollow OFAC/Treasury January 2025 designation route before use
APT31Treasury January 17, 2025 Salt Typhoon sanctions release cross-referenceSanctions-source routeSeparate PRC cyber legal/sanctions source routeFollow Treasury/DOJ/FBI March 2024 routes before use
BADBAZAAR and MOONSHINEFBI April 9, 2025 alert titleOfficial advisory title/source routeSpyware and civil-society targeting source laneTitle/source metadata only until safe page-level refresh
PRC-linked actorsFBI September 18, 2024 routers/IoT alert titleOfficial advisory phraseRouter/IoT botnet source route without technical extractionNo device, indicator, or botnet-operation extraction
PRC-affiliated activityFBI April 24, 2025 Salt Typhoon PSAFBI public phrasingActor-linkage phrase for Salt Typhoon source laneDo not upgrade to service-level attribution without source text
Contract hackers / information-security companiesFBI March 5, 2025 alert; DOJ March 5, 2025 charging releaseFBI warning and DOJ legal-action lanePRC state-contractor ecosystem source laneKeep company/person records tied to legal or sanctions source events

Extraction Rules

  1. Extract publisher, title, date, access date, source class, issuing agencies, actor label exactly as written, and high-level sector lane.
  2. Treat Typhoon, APT, actor, activity, company, and private-sector aliases as source labels until a dated source packet states who used the label.
  3. Keep legal actions, sanctions/designations, rewards, advisories, oversight, intelligence assessments, and allied warnings in separate source classes.
  4. Do not copy commands, indicators, exploit chains, hashes, domains, vulnerable products, device models, malware behavior, detection signatures, configuration steps, or incident-response procedures.
  5. Do not construct victim, provider, facility, or private-person dossiers. Name entities only when a public DOJ, Treasury, OFAC, or court source makes the reference necessary for strategic source routing.
  6. Do not convert Senate, FCC, Treasury, or Rewards for Justice material into proof of technical remediation status, active access, victim count, or provider security posture.
  7. Preserve uncertainty when official pages use broad language such as "linked," "affiliated," "state-sponsored," "contract hacker," or "activity."

PRC Cyber Label Routing

Routing laneUseStronger claim requiresBoundary
FBI overview and alertsActor-label chronology, high-level warning titles, source hubDirect page/PDF extraction with access dateNo tip mechanics, technical detail, or investigation direction
DOJ legal actionsPublic allegations, charges, disruption events, legal source statusCourt records or later DOJ updates where claim-specificNo intrusion replication, private-person dossiering, or legal conclusion beyond source
Treasury/OFAC sanctionsDesignation and sanctions-source routingCurrent OFAC record and Federal Register/legal status where neededNo sanctions advice, evasion, or finance procedure
CISA/NSA/FBI advisoriesDefensive advisory titles, agency lists, actor labels, sector themesPage-level advisory refresh and allied cross-checkNo IOCs, CVEs, commands, exploitation, or remediation playbooks
FCC/Senate oversightTelecom policy and oversight source routingFCC dockets/orders and primary provider/regulator recordsNo provider vulnerability maps or network-security scoring
State/RFJ reward routeBroad foreign malicious cyber activity source routeState/RFJ update capture and official contextNo reporting-channel mechanics
Allied cyber centersCo-seal advisory and national threat-report cross-checksCountry-specific page capture and source-class notesNo cross-country alias normalization without source

Follow-On Queue

ProductPurposePrimary source families
PRC Advisory Page-Level RefreshCapture exact CISA, NSA, FBI, and allied PRC advisory titles, dates, issuing agencies, co-seal lists, access notes, and safe high-level themesCISA, NSA, FBI, UK NCSC, ASD/ACSC, Canada Cyber Centre, New Zealand NCSC, Japan cyber routes
OFAC/Treasury PRC Cyber Designation RefreshCapture current Salt Typhoon, Flax Typhoon, APT31, and related PRC cyber designation routes as legal/status sourcesTreasury, OFAC, Federal Register where needed
DOJ PRC Cyber Legal-Action Source PacketSeparate i-Soon/APT27, Volt Typhoon, contract-hacker, botnet-disruption, and other PRC legal-action recordsDOJ NSD, FBI, court records where public
FCC Telecommunications Cybersecurity Source RefreshCapture FCC and Federal Register routes for telecom cybersecurity policy and Salt Typhoon follow-on oversightFCC, Federal Register, Senate Commerce
Allied PRC Cyber Cross-Check PacketCapture allied source use of PRC labels and co-seal advisory routes without normalizing aliases prematurelyUK, Canada, Australia, New Zealand, Japan, NATO/EU cyber routes

Information Gaps

  • CISA, NSA, FCC, and some allied advisory pages still require page-level direct refresh before exact titles, agency lists, and advisory metadata are considered complete.
  • FBI pages are accessible as routes in this pass, but some linked PDF content requires separate extraction controls before stronger claim-level use.
  • Public sources do not prove full alias equivalence, complete actor tasking, current access, remediation status, victim counts, or classified attribution.
  • Treasury cross-references to Flax Typhoon and APT31 require their own direct designation/legal-action refreshes before those labels are expanded.
  • Commercial threat-intelligence labels remain outside the corpus unless a future commercial/research source-class rule admits them with explicit source treatment.

Cross References

Source Base

  • FBI, Cyber Threat Overview: China: https://www.fbi.gov/investigate/cyber/cyber-threat-overview-china
  • FBI, Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System: https://www.fbi.gov/investigate/cyber/alerts/2025/countering-chinese-state-sponsored-actors-compromise-of-networks-worldwide-to-feed-global-espionage-system
  • FBI, People's Republic of China Cyberthreat Activity: https://www.fbi.gov/investigate/cyber/alerts/2025/peoples-republic-of-china-cyber-threat-activity
  • FBI, FBI Seeking Tips About PRC Targeting of U.S. Telecommunications: https://www.fbi.gov/investigate/cyber/alerts/2025/fbi-seeking-tips-about-prc-targeting-of-us-telecommunications
  • FBI, BADBAZAAR and MOONSHINE Spyware Targeting Uyghur, Taiwanese, and Tibetan Groups and Civil Society Actors: https://www.fbi.gov/investigate/cyber/alerts/2025/badbazaar-and-moonshine-spyware-targeting-uyghur-taiwanese-and-tibetan-groups-and-civil-society-actors
  • FBI, Beijing Leveraging Freelance Hackers and Information Security Companies to Compromise Computer Networks Worldwide: https://www.fbi.gov/investigate/cyber/alerts/2025/beijing-leveraging-freelance-hackers-and-information-security-companies-to-compromise-computer-networks-worldwide
  • FBI, Enhanced Visibility and Hardening Guidance for Communications Infrastructure: https://www.fbi.gov/investigate/cyber/alerts/2024/enhanced-visibility-and-hardening-guidance-for-communications-infrastructure
  • FBI, People's Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations: https://www.fbi.gov/investigate/cyber/alerts/2024/peoples-republic-of-china-linked-actors-compromise-routers-and-iot-devices-for-botnet-operations
  • FBI, APT40 Advisory: PRC MSS Tradecraft in Action: https://www.fbi.gov/investigate/cyber/alerts/2024/apt40-advisory-prc-mss-tradecraft-in-action
  • FBI, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure: https://www.fbi.gov/investigate/cyber/alerts/2024/prc-state-sponsored-actors-compromise-and-maintain-persistent-access-to-u-s-critical-infrastructure
  • FBI, Malicious Cyber Actors Exploiting Insecure SOHO Routers: https://www.fbi.gov/investigate/cyber/alerts/2024/malicious-cyber-actors-exploiting-insecure-soho-routers
  • U.S. Department of Justice, U.S. Government Disrupts Botnet People's Republic of China Used to Conceal Hacking of Critical Infrastructure: https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
  • U.S. Department of Justice, Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns: https://www.justice.gov/opa/pr/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global
  • U.S. Department of the Treasury, Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise: https://home.treasury.gov/news/press-releases/jy2792
  • OFAC, cyber-related sanctions source route: https://ofac.treasury.gov/sanctions-programs-and-country-information/sanctions-related-to-significant-malicious-cyber-enabled-activities
  • CISA, cybersecurity advisories source family: https://www.cisa.gov/news-events/cybersecurity-advisories
  • NSA, cybersecurity advisories and guidance source family: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
  • State Department Rewards for Justice, Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure: https://rewardsforjustice.net/rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/