KV Botnet

KV Botnet is a botnet malware/infrastructure cluster attributed by U.S. authorities and multiple public reports to the PRC-linked threat actor Volt Typhoon. It consists primarily of compromised small office/home office routers and other internet-connected edge devices used as covert relay and proxy infrastructure to conceal the origin of follow-on intrusions and espionage activity. Reporting states that the botnet was used to support operations against U.S. and foreign victims, including critical infrastructure organizations, and that Volt Typhoon used it as part of broader pre-positioning activity affecting sectors such as communications, energy, transportation, and water. The botnet has also been described as including cameras and routers, and as relying heavily on end-of-life Cisco and NETGEAR devices that no longer received security patches.

High-confidence reporting in the provided content states that KV Botnet malware infected hundreds of privately owned SOHO routers, with the vast majority being Cisco and NETGEAR devices. The malware-enabled botnet was used to route malicious traffic and support espionage operations without the owners’ knowledge. Multiple sources in the content state that Volt Typhoon used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations and to obscure PRC attribution. One report also states that the botnet mainly involved end-of-life Cisco and NetGear routers, while another notes that legacy routers targeted by KV Botnet often lacked protections such as signed firmware enforcement.

The content further states that KV Botnet activity used acquired virtual private servers as control systems for infected devices. A tracked infrastructure cluster referred to as the JDY cluster or JDYFJ Botnet is associated with KV Botnet in the supplied material. Researchers observed infected systems communicating with control servers using a certificate containing the string "jdyfj" beginning in November 2023. Publicly cited infrastructure associated with this activity included 159.203.113[.]25, 174.138.56[.]21, 108.61.132[.]157, 144.202.49[.]189, 45.32.174[.]131, 45.63.60[.]39, 2.58.15[.]30, 66.85.27[.]190, and 172.233.211[.]226. The content also identifies certificate SHA256 2b640582bbbffe58c4efb8ab5a0412e95130e70a587fd1e194fbcd4b33d432cf as associated with some of this infrastructure.

Behaviorally, the supplied ATT&CK-oriented reporting says KV Botnet activity focuses on compromising SOHO network devices to build a botnet, uses multiple Bash scripts during installation, supports command execution via Bash, uses libevent to manage events, and terminates processes whose paths reference tools such as busybox, wget, curl, tftp, telnetd, or lua unless the string "bioset" is present. The content also states that the malware/control activity used custom or non-standard command-and-control approaches and that VPS infrastructure served as control systems for infected devices.

In December 2023, the FBI conducted a court-authorized disruption operation against KV Botnet in the United States. According to the provided content, the operation remotely deleted KV Botnet malware from affected routers and temporarily severed communications with botnet controllers without affecting legitimate router functions or collecting content information. Authorities warned that the mitigation was temporary and that restarting a router without additional remediation could leave it vulnerable to reinfection. The FBI strongly encouraged replacement of end-of-life SOHO routers because the underlying devices remained vulnerable to future exploitation by Volt Typhoon and other actors. Subsequent reporting in the content states that the botnet’s control infrastructure persisted and migrated across hosting providers after the disruption.