incident
Volt Typhoon Removes Legitimate Security Software to Evade DetectionVolt Typhoon security tool removal
In February 2024, CISA reported that Volt Typhoon threat actors removed legitimate security tools and cleared logs on compromised systems to hide their presence. The group used built-in administrative commands to uninstall EDR, disable Windows Defender, and delete event logs, enabling long-term undetected access to U.S. critical infrastructure.