top of page
  • Writer's pictureJohn Cook

Unveiling the Intricacies of the KV-Botnet: An In-Depth Analysis of Volt Typhoon's Covert Operations

Decoding the Enigma: The KV-Botnet Unleashed by Volt Typhoon

In cybersecurity threats, the Chinese state-sponsored APT hacking group Volt Typhoon, also known as Bronze Silhouette, has wielded a powerful weapon since at least 2022 - the 'KV-Botnet.' This sophisticated tool has been strategically used to target SOHO routers in high-value sectors.

Understanding Volt Typhoon's Preferred Targets

With a penchant for infiltrating routers, firewalls, and VPN devices, Volt Typhoon leverages the KV-Botnet to orchestrate its malicious activities. By redirecting traffic through compromised devices, the attackers seamlessly blend their actions with legitimate network activities, ensuring their operations remain undetected.

A collaborative report by Microsoft and the US government suggests that the attackers are constructing infrastructure with the potential to disrupt communication networks in the USA. Microsoft warns, "This Volt Typhoon campaign is developing capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises."

December 13, 2023, a detailed report by the Black Lotus Labs team at Lumen Technologies sheds light on a Volt Typhoon campaign targeting Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and, more recently, Axis IP cameras. This campaign explicitly infects devices at the network's edge, a vulnerable segment amplified by the surge in remote work.

The Covert Network: KV-Botnet's Role in Strategic Attacks

The KV-Botnet, the backbone of covert data transfer, has been employed in attacks on telecommunication and internet service providers, a US territorial government entity in Guam, a European renewable energy firm, and various US military organizations. While the focus seems to be on espionage and information gathering, Black Lotus also reports opportunistic infections.

The botnet's activity has surged since August 2023, with notable spikes in mid-November 2023. The most recent observed attacks occurred on December 5, 2023, indicating ongoing malicious activities.

Unveiling Technical Insights into KV-Botnet

Black Lotus identifies two distinct activity clusters within KV-Botnet: ' KV' and 'JDY.' The former, targeting high-value entities, operates manually, while the latter employs broader scanning with less sophisticated techniques.

The botnet explicitly targets end-of-life devices used by SOHO entities lacking robust security measures. Supported architectures include ARM, MIPS, MIPSEL, x86_64, i686, i486, and i386. Initially focusing on Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFE firewalls, the malware expanded its reach to include Axis IP cameras like models M1045-LW, M1065-LW, and p1367-E.

Volt Typhoon executes a complex infection chain involving multiple files, such as bash scripts (, halting specific processes and removing security tools from infected devices.

To elude detection, the bot sets up random communication ports with the C2 server, adopting the names of existing processes for disguise. Operating solely in memory, the bot presents a challenge for detection, impacting its persistence on compromised devices.

Commands and Operation Details

The commands KV-Botnet receives from the C2 server encompass updating communication settings, exfiltrating host information, performing data transmission, creating network connections, executing host tasks, and more.

In its report, Black Lotus notes the potential for KV-Botnet to spawn a remote shell on SOHO devices, offering the capability for manual command execution or retrieval of undiscovered secondary modules targeting adjacent LANs.

Tracing the Chinese Operation

Black Lotus Labs firmly links this botnet to the Volt Typhoon through overlaps in IP addresses, similar tactics, and working hours aligning with China Standard Time. The advanced obfuscation techniques and covert data transfer channels seen in KV-Botnet attacks align with previously documented Volt Typhoon tactics.

Lumen's report highlights a suspicious decline in KV-Botnet operations coinciding with the public disclosure of Volt Typhoon activities by CISA in May 2023.

Indicators of compromise (IOCs) released by Lumen, including malware hashes and associated IP addresses, provide valuable insights for cybersecurity professionals.

Frequently Asked Questions

Q: What is the KV-Botnet?

A: The KV-Botnet is a sophisticated tool employed by the Chinese state-sponsored APT hacking group Volt Typhoon to target SOHO routers in high-value sectors.

Q: What are the critical targets of Volt Typhoon's KV-Botnet?

A: Volt Typhoon commonly targets routers, firewalls, and VPN devices, with a recent focus on Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.

Q: How does the KV-Botnet evade detection?

A: The bot sets up random ports for communication, disguises itself by adopting existing process names, and operates solely in memory, making detection challenging.

Q: What commands does KV-Botnet receive?

A: Commands include updating communication settings, exfiltrating host info, transmitting data, creating network connections, executing host tasks, and more.

Q: Is there a connection between KV-Botnet and Volt Typhoon?

A: Yes, overlaps in IP addresses, tactics, and working hours aligning with China Standard Time firmly link KV-Botnet to the Volt Typhoon.

In conclusion, understanding the intricacies of the KV-Botnet is imperative for cybersecurity professionals to enhance detection and mitigation strategies. Stay informed, stay secure.




bottom of page