After FBI Takedown, KV-Botnet Operators Shift Tactics to Try to Bounce Back

Chinese KV-Botnet

The actors of the threat behind the KV-botnet made “behavioral changes” to the malicious network as US law enforcement began issuing orders to neutralize the activity.

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices around the world, with a specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon. (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

Active since at least February 2022, it was first documented by the Black Lotus Labs team of Lumen Technologies in mid-December 2023. The botnet is known to consist of two main sub-groups, viz. KV and JDY, with the latter being used to scan potential targets for reconnaissance.

Last month, the US government announced a court-authorized disruption effort to remove the KV cluster, which is usually reserved for manual operations against high-profile targets selected after a broader scan by JDY sub-group.


Now, according to new findings from the cybersecurity firm, the JDY cluster has been silent for almost fifteen days after public disclosure and as a product of the US Federal Bureau of Investigation (FBI) activity.

“In mid-December 2023, we observed this cluster of activity around 1500 active bots,” said security researcher Ryan English. “When we sampled the size of this cluster in mid-January 2024 its size had decreased to approximately 650 bots.”

Given that the deletion actions began with a signed warrant issued on December 6, 2023, it is reasonable to assume that the FBI began sending orders to routers located in the US sometime on or after that date to delete the botnet’s payload and prevent them from being replicated. – set.

“We observed that the operators of the KV-botnet began to restructure, making eight consecutive hours of activity on December 8, 2023, nearly ten hours of operation the following day in December 9, 2023, followed by an hour on December 11, 2023,” Lumen SAYS in a technical report shared by The Hacker News.

During this four-day period, the threat actor was found to interact with 3,045 unique IP addresses associated with NETGEAR ProSAFEs (2,158), Cisco RV 320/325 (310), Axis IP cameras (29) , DrayTek Vigor routers (17) , and other unknown devices (531).

Also observed in early December 2023 was a large spike in exploit attempts from the payload server, indicating the likely attempt by the adversary to re-exploit the devices as they saw their infrastructure offline. Lumen said it is also taking steps to null-route another set of backup servers that became operational at the same time.

Chinese KV-Botnet

It is worth noting that the operators of the KV-botnet are known to do their own reconnaissance and targeting while also supporting several groups such as Volt Typhoon. Interestingly, the timestamps associated with exploiting bots correlate with working hours in China.

“Our telemetry shows that there are administrative connections to known payload servers from IP addresses associated with China Telecom,” Danny Adamitis, chief information security engineer at Black Lotus Labs, said. on The Hacker News.

Chinese KV-Botnet

In addition, the statement from the US Justice Department CEBU the botnet controlled by “People’s Republic of China (PRC) state-sponsored hackers.”

This raises the possibility that the botnet “was created by an organization that supports the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect that they are said to be ‘state-state’ actors,” Adamitis added. .

There are also indications that threat actors established a third related-but different botnet cluster called in January 2023 consisting of infected Cisco routers by deploying a web shell named “,” as SecurityScorecard highlighted last month.


But since the KV-botnet is just “a form of infrastructure used by Volt Typhoon to obfuscate their activity,” it is expected that the recent wave of actions will prompt the actors to be promoted of the state that is likely to move to another covert network to achieve their strategic objectives. goals.

“A significant percentage of all networking equipment in use around the world works well, but is no longer supported,” English said. “End users have a difficult financial choice when a device reaches that point, and many are unaware that a router or firewall is at the end of its supported life.

“Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always possible.”

“The mitigation involves defenders adding their internal devices to the long list of those they must patch and update regularly when applicable, rebooting devices and configuring solutions to EDR or SASE if possible, and watch out for large data transfers from the network.Geofencing is not a reliable defense, if the threat actor can jump from a nearby point.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment