Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

```yara
rule APT_VoltTyphoon_LivingOffTheLand_202305 {
    meta:
        author = "YARA Expert"
        date = "2023-05-30" // Date based on typical advisory release timeframe for "recently discovered" activity
        description = "Detects activity associated with Volt Typhoon, a People's Republic of China (PRC) state-sponsored cyber actor. This rule targets identified file hashes, network indicators, and unique text patterns from related advisories, focusing on their 'living off the land' techniques against critical infrastructure."
        reference = "Joint Cybersecurity Advisory (CSA) on Volt Typhoon activity"
        tlp = "CLEAR"

    strings:
        // --- File Hashes (SHA256) ---
        // These hashes identify specific malicious files associated with Volt Typhoon.
        $hash_sha256_1 = { f4 dd 44 bc 19 c1 90 56 79 4d 29 15 1a 5b 1b b7 6a fd 50 23 88 62 2e 24 c8 63 a8 49 4a f1 47 dd }
        $hash_sha256_2 = { ef 09 b8 ff 86 c2 76 e9 b4 75 a6 ae 6b 54 f0 8e d7 7e 09 e1 69 f7 fc 08 72 eb 1d 42 7e e2 7d 31 }

        // --- Network Indicators (Domains) ---
        // Domains used for C2 or data exfiltration. Included as ASCII and wide strings for broader detection.
        $network_domain_1_ascii = "ntds.dit"
        $network_domain_1_wide = "ntds.dit" wide
        $network_domain_2_ascii = "ntds.jfm"
        $network_domain_2_wide = "ntds.jfm" wide
        $network_domain_3_ascii = "www.ip-api.com"
        $network_domain_3_wide = "www.ip-api.com" wide
        $network_domain_4_ascii = "ss.dat"
        $network_domain_4_wide = "ss.dat" wide
        $network_domain_5_ascii = "sy.dat"
        $network_domain_5_wide = "sy.dat" wide

        // --- API Calls ---
        // No specific API calls were identified in the provided IOCs.
        // This section is included for completeness but remains empty.
        // Example: $api_create_remote_thread = "CreateRemoteThread" ascii wide

        // --- Registry Keys ---
        // No specific registry keys were identified in the provided IOCs.
        // This section is included for completeness but remains empty.
        // Example: $registry_run_key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Malware" ascii wide

        // --- Unique Text Patterns ---
        // Text strings extracted from the advisory, useful for detecting related documents or in-memory strings.
        $string_actor_name_1 = "Volt Typhoon" nocase
        $string_actor_name_2 = "PRC state-sponsored cyber actor" nocase
        $string_country = "People's Republic of China" nocase
        $string_technique = "Living off the Land" nocase
        $string_target_sector = "critical infrastructure sectors" nocase
        $string_advisory_title = "Joint Cybersecurity Advisory" nocase
        $string_tlp = "TLP:CLEAR"
        $string_agency_nsa = "National Security Agency (NSA)" nocase
        $string_agency_cisa = "Cybersecurity and Infrastructure Security Agency" nocase

    condition:
        // Detection logic combines different types of indicators for robust identification.
        // A single hash match is a strong indicator of a known malicious file.
        (1 of ($hash_*)) or
        // Multiple network indicators suggest C2 or data exfiltration activity.
        (3 of ($network_*)) or
        // Multiple unique text patterns from the advisory indicate related documents or in-memory presence.
        (3 of ($string_*))

        // Note: The requested condition structure (X of ($hash_*)) or (Y of ($network_*) and Z of ($api_*))
        // was adapted. Due to the explicit absence of API calls and registry keys in the provided IOCs,
        // the 'Z of ($api_*)' component cannot be meaningfully included in the condition.
        // The current condition prioritizes detection based on available strong indicators.
}
```