Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

KV Botnet

KV Botnet is a covert botnet and data-transfer network associated with the PRC-linked threat actor Volt Typhoon and described by Black Lotus Labs as supporting China-based state-sponsored espionage and intelligence operations. It has been used to conceal the origin of follow-on intrusions and route malicious traffic through compromised devices, particularly against U.S. and other foreign victims, including critical infrastructure organizations in the communications, energy, water, and transportation sectors. Reporting states the botnet was built primarily from compromised small office/home office routers, especially end-of-life Cisco and NetGear devices, and in some descriptions also included other internet-connected equipment such as cameras and routers. The botnet used acquired virtual private servers as control systems for infected devices.

High-confidence reporting states the FBI conducted a court-authorized disruption in December 2023, remotely deleting KV Botnet malware from hundreds of infected U.S.-based SOHO routers and temporarily severing communications with botnet controllers without affecting legitimate router functions or collecting content. The malware was described as memory-resident and lacking persistence, so power cycling removed it but also left vulnerable devices open to reinfection unless mitigated or replaced. After the disruption, operators attempted to rebuild the botnet by re-exploiting devices between December 8 and December 11, 2023, with observed targeting of thousands of devices including large numbers of NetGear ProSAFE and Cisco RV320/RV325 systems. Black Lotus Labs later assessed the main KV cluster was likely rendered inert by January 2024 due to FBI action and continued null-routing, although related activity clusters such as JDY were observed separately.

The content consistently links KV Botnet to Volt Typhoon infrastructure and tradecraft, including use of compromised SOHO devices as relay nodes and proxy infrastructure to quietly tunnel into victim environments and obscure PRC attribution. Known infrastructure and device references directly mentioned in the content include end-of-life Cisco and NetGear routers, NetGear ProSAFE devices, Cisco RV320/RV325 routers, Axis IP cameras, DrayTek Vigor routers, and VPS-based control systems.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Volt Typhoon

In a December 2023 operation, the FBI used the botnet's own command channel to delete the KV-botnet malware from hundreds of U.S. SOHO routers, mostly end-of-life Cisco and NetGear boxes that the China-linked Volt Typhoon was using to hide access it had planted ahead of a possible crisis inside American communications, energy, water, and transportation systems.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

2 techniques
T1590Gather Victim Network InformationEvidence1

...used a covert network of connected devices to burrow deep into critical US networks and preposition for future destructive attacks.

T1595Active ScanningEvidence2

the botnet now scans the internet for fresh vulnerabilities almost as soon as they are disclosed

Resource Development

4 techniques
T1583.003Virtual Private ServerEvidence1

APT-C-36 has incorporated virtual private servers (VPS) into its operational infrastructure... APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment... HAFNIUM has operated from leased virtual private servers (VPS) in the United States.

T1584Compromise InfrastructureEvidence2

For example, China's Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.

T1584.005BotnetEvidence11

The JDY botnet is back and expanding via attacks on unpatched routers, cameras and other edge devices... JDY botnet now makes up 1,500 compromised small office and home office (SOHO) devices, as well as edge and Internet of Things (IoT) devices.

T1584.008Network DevicesEvidence3

T1584.008 Compromise Infrastructure: Network Devices — Devices are compromised and added to botnets

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence4

Over a three-day period from December 8 to December 11, 2023, KV-botnet operators targeted approximately 33% of the NetGear ProSAFE devices on the Internet for re-exploitation, a total of 2,100 individual devices.

Stealth

1 technique
T1620Reflective Code LoadingEvidence1

As documented in the malware analysis section of our initial report, the KV malware resides completely in-memory and therefore did not have a persistence mechanism.

Discovery

2 techniques
T1046Network Service DiscoveryEvidence3

The botnet is designed not to attack targets directly, but to scan the internet for vulnerable systems and pass that intelligence to hacker groups tied to China.

T1120Peripheral Device DiscoveryEvidence1

Volt Typhoon ... has primarily targeted outdated Cisco and Netgear routers to be part of its KV Botnet.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence2

We observed a brief but concentrated period of exploitation activity in early December 2023, as the threat actors attempted to re-establish their command and control (C2) structure and return the botnet to working order.

T1090ProxyEvidence6

Since infected devices are ordinary home and small business routers, their traffic blends in with normal internet activity, making detection harder for traditional security tools.

T1090.003Multi-hop ProxyEvidence9

Because so many bots are legitimate U.S. devices, the JDY botnet blends into normal traffic. Consequently, geofencing, IP reputation filters, and static blocklists struggle to catch it.

Exfiltration

1 technique
T1030Data Transfer Size LimitsEvidence2

JDY was first spotted back in 2023 as part of an investigation into the KV botnet, which was used for covert data transfer while JDY was focused on scanning and reconnaissance.

INDICATORS OF COMPROMISE

IOCs tracked for this family

19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
18 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app16 days ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
hash.sha256●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

21 SOURCESView more in app
recorded future blogNews
Jun 25, 2026
Evaluating Mexico’s New Cybersecurity Plan

Botnet listed among the top malware families affecting victims in Mexico in 2025.

Read more
the hacker newsNews
Jun 22, 2026
Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices

Botnet malware deployed on compromised SOHO routers and used as an anonymizing relay infrastructure to conceal state-sponsored access and operations.

Read more
security affairsNews
Jun 11, 2026
JDY Botnet Evolves After KV Takedown, Targets Military Networks

A botnet cluster previously hosting or associated with JDY before U.S. government disruption in early 2024.

Read more
the hacker newsNews
Jun 10, 2026
China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance

KV-botnet is the larger botnet cluster within which JDY was initially identified before JDY evolved into an independent reconnaissance capability.

Read more
+17 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching19

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.