Keypoints
- KV-botnet is a covert data-transfer network built from compromised SOHO routers and firewalls and attributed to China-based state-sponsored actors including Volt Typhoon.
- Following an FBI warrant signed on December 6, 2023, operators launched focused re-exploitation between Dec 8–11, targeting ~3,045 IPs, of which ~2,158 were NetGear ProSAFE devices.
- Operators contacted roughly 32.63% of publicly visible NetGear ProSAFE devices (~2,100 of 6,613) during the surge, prioritizing re-establishing KV cluster C2 functionality.
- KV malware runs entirely in memory (no persistence); power-cycling devices removes the malware, requiring re-exploitation to regain access.
- Lumen null-routing and the FBI’s court-authorized actions disrupted KV cluster C2s and a secondary backup set of servers, leading to a marked decline in botnet uptime and reach.
- JDY (router-proxy) cluster ceased activity for ~15 days and then lost over 50% of bots; x.sh appears to be a separate cluster with intermittent payload hosting windows.
- Observed reinfection rate during the December surge was ~20.69% (630 of 3,045 devices had multi-day interactions with the payload server).
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to compromise routers and firewalls: [‘Most of these IP addresses were identified as NetGear ProSAFEs, Cisco RV320/325, Axis IP cameras, and DrayTek Vigor routers.’]
- [T1105] Ingress Tool Transfer – Payloads and modules were downloaded and executed in-memory on compromised devices: [‘the downloading and execution of additional payloads, such as the malware residing completely in-memory on the compromised devices’]
- [T1090] Proxy – Compromised devices were used as a covert data transfer network and router proxies (JDY) to relay traffic: [‘the use of the compromised devices to form a covert data transfer network supporting various state-sponsored actors’]
- [T1046] Network Service Scanning – The JDY cluster conducted mass internet scanning for reconnaissance: [‘The cluster designated “JDY” was primarily used to perform mass internet scanning, presumably for reconnaissance.’]
- [T1001.003] Protocol Impersonation – Use of protocols (e.g., NTP) to check connectivity and evade sandboxes as an obfuscation method: [‘the potential use of the NTP protocol as a mechanism to ensure the infected device has internet connectivity and to determine if it is not being run in a sandbox’]
- [T1518] Software Discovery – Malware checked for available shells to guide operations: [‘initial checks by the malware for the presence of specific shells (“/bin/bash,” “/bin/ash,” or “/bin/sh”)’]
- [T1016] System Network Configuration Discovery – Malware modified iptable rules and opened ports to support module downloads: [‘the malware’s use of iptable rules to modify network configurations and open up additional ports for downloading modules’]
- [T1529] System Shutdown/Reboot – Malware lacked persistence and was removed by power-cycling devices: [‘the KV malware resides completely in-memory and therefore did not have a persistence mechanism.’]
Indicators of Compromise
- [IP Address] payload and C2 servers – 152.32.138[.]247 (auxiliary callback), 95.162.229[.]105 (new payload server), and other IPs such as 45.11.92[.]176, 193.36.119[.]48, 216.128.180[.]232 (null-routed)
- [Router/Device Models] targeted devices – NetGear ProSAFE (2,158 hits), Cisco RV320/325 (310 hits)
- [Cluster/Hostname] activity clusters and payload identifiers – x.sh cluster (payload hosting), JDY cluster (router proxy), and KV cluster
- [X.509 Certificate] certificate identifiers used by operator infrastructure – ‘JDY’ and previously observed ‘BBC’ certificates (operator certificate rotation)
KV-botnet technical summary:
KV-botnet is a multi-cluster covert data-transfer network that chained compromised SOHO routers, firewalls, and cameras into proxy and payload infrastructures (notably the KV, JDY, and x.sh clusters). Operators exploited public-facing device applications—predominantly NetGear ProSAFE, Cisco RV320/325, Axis cameras, and DrayTek Vigor routers—delivering an in-memory-only payload that lacked persistence, modified iptables and opened ports to fetch additional modules, and performed software discovery checks for available shells.
Between Dec 8–11, 2023, following a court-authorized takedown initiated Dec 6, operators concentrated exploitation activity (contacting ~3,045 unique IPs, ~2,158 NetGear devices) and activated auxiliary callback/payload servers (e.g., 152.32.138[.]247, 95.162.229[.]105). Lumen telemetry shows a ~20.7% reinfection rate across that wave and that operators used short-lived payload hosting windows (typically ~1 hour) to limit exposure. The JDY router-proxy cluster performed large-scale scanning for reconnaissance but experienced a ~15-day operational lapse and >50% bot decline after C2 disruptions.
Defensive actions included null-routing identified C2/payload IPs, ingesting IoCs into threat feeds, and monitoring for new infrastructure. Because the malware runs in-memory without persistence, simple device power-cycling removes the infection, but re-exploitation remains possible; recommended mitigations include monitoring for large outbound transfers, applying vendor updates or replacing EOL edge devices, and using SASE or equivalent network-level protections to detect and block malicious C2 communications.