{ "id": "bf5f2a2c-74e2-43c7-96d0-66945189174d", "created_at": "2026-04-06T00:18:20.922547Z", "updated_at": "2026-04-10T03:34:44.554536Z", "deleted_at": null, "sha1_hash": "e3ffd1d14658a30532966cb6ed0632f93fc2bf80", "title": "KV-botnet: Don't call it a comeback", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78017, "plain_text": "KV-botnet: Don't call it a comeback\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-05 21:45:09 UTC\r\nPublished on Feb 7, 2024 | 6 minute read\r\nExecutive summary\r\nOn December 13, 2023, Black Lotus Labs reported our findings on the KV-botnet, a covert data transfer network\r\nused by state-sponsored actors based in China to conduct espionage and intelligence activities targeting U.S.\r\ncritical infrastructure. Around the time of the first publication, we identified a spike in activity that we assess\r\naligns with a significant effort by the operators managing this network to combat takedown efforts underway by\r\nthe U.S. Government.\r\nAccording to a Department of Justice (DOJ) press release, the Federal Bureau of Investigation (FBI) conducted a\r\ncourt-authorized takedown of KV-botnet in early December 2023. Based on the date the earliest warrant was\r\nsigned, December 6, 2023, Black Lotus Labs believes the takedown operation was likely underway between\r\nDecember 6 and December 8, 2023. We observed a brief but concentrated period of exploitation activity in early\r\nDecember 2023, as the threat actors attempted to re-establish their command and control (C2) structure and return\r\nthe botnet to working order. Over a three-day period from December 8 to December 11, 2023, KV-botnet\r\noperators targeted approximately 33% of the NetGear ProSAFE devices on the Internet for re-exploitation, a total\r\nof 2,100 individual devices. This shift in priorities by the operators appeared to cause rippling effects on the other\r\nclusters within KV-botnet, resulting in, for example, a 50% decrease in bots in the scanning and reconnaissance\r\ncluster we referred to as “JDY.” Despite the botnet operator’s best efforts, Lumen Technologies’ quick null-routing\r\nalong with the effects of the FBI’s court-authorized action, appear to have had a significant impact on the uptime,\r\nbreadth, and sustainability of KV-botnet.\r\nOur follow up report is intended to document the post-publication activity and provide a timeline from the vantage\r\npoint of Lumen’s global visibility. Lumen Technologies would like to commend the FBI for their efforts in\r\ncountering Chinese cyber activity against U.S. critical infrastructure. Lumen Technologies shared threat\r\nintelligence to warn agencies across the U.S. Government of the emerging risks that could impact our nation’s\r\nstrategic assets.\r\nTechnical details\r\nIntroduction\r\nIn December 2023, Lumen’s Black Lotus Labs reported on a complex network called “KV-botnet” that infected\r\nsmall-office, home-office (SOHO) routers and firewall devices across the globe. These compromised devices\r\nassociated with the KV-cluster were chained together to form a covert data transfer network supporting various\r\nChinese state-sponsored actors including Volt Typhoon.\r\nhttps://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/\r\nPage 1 of 5\n\nIn the weeks following our original publication, Lumen observed significant behavioral changes in the C2 nodes\r\nassociated with one of the botnet’s secondary activity clusters. The “JDY” cluster, principally used for scanning\r\npotential targets, fell silent for roughly fifteen days following our report. We assess that during this period, the\r\nthreat actor had been focused on re-establishing other critical elements of the botnet, such as the primary infection\r\narm referred to as the “KV” cluster. As the threat actor attempted to restore integrity and transition the KV cluster\r\nto auxiliary C2 nodes, Black Lotus Labs monitored the activity through Lumen’s global telemetry, and null routed\r\nthe new infrastructure in early January 2024.\r\nKV cluster activity: Court-authorized disruption effort\r\nCoinciding with our first publication, Black Lotus Labs observed a dramatic shift in the operations of the KV\r\ncluster. Our telemetry revealed a spike in the targeting of NetGear ProSAFE firewalls, which we can now attribute\r\nto the actions taken by the FBI.\r\nThe DOJ press release on January 31, 2024, indicates that takedown actions began with a signed warrant issued on\r\nDecember 6, 2023. We can assume the FBI began issuing commands to the bots to remove the malware and\r\nenhance protective measures of the previously infected devices sometime on or after December 6. We observed\r\nthe KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023,\r\nnearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11,\r\n2023. During this four-day period, we observed the threat actor interact with over 3,000 unique IP addresses. Most\r\nof these IP addresses were identified as NetGear ProSAFEs, Cisco RV320/325, Axis IP cameras, and DrayTek\r\nVigor routers. The device breakdown of the 3,045 devices that received connections from the exploit server was as\r\nfollows:\r\nNetGear ProSAFE: 2,158\r\nCisco RV 320/325: 310\r\nAxis IP cameras: 29\r\nDrayTek Vigor: 17\r\nUndetermined: 531\r\nDuring this surge, the actor displayed a clear preference in device type, as over 2,100 of the approximately 3,000\r\nIP addresses were NetGear ProSAFEs. Their focus led us to search for the total number of these devices connected\r\nto the internet; we found the KV threat actor interacted with approximately 32.63% of the 6,613 NetGear\r\nProSAFE devices that existed worldwide during that time, based upon available Censys data.\r\nAs documented in the malware analysis section of our initial report, the KV malware resides completely in-memory and therefore did not have a persistence mechanism. This means that by simply power cycling these\r\ndevices, the malware is removed from the system and requires the actor to re-exploit the device in order to regain\r\naccess.\r\nThroughout the KV lifecycle, the average number of exploited bots per month averaged just over 100. The\r\nmassive surge in exploitation attempts from the payload server in early December 2023, suggests the threat actor\r\nwas likely monitoring their victimized devices and noticed the sudden adverse action. As they detected their\r\ninfrastructure going offline, the KV-botnet operators actively tried to re-exploit those devices to maintain\r\noperations. Analyzing historical Lumen telemetry, we found that 630 of the 3,045 total reinfected devices had\r\nhttps://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/\r\nPage 2 of 5\n\ninteractions with the payload server over multiple days in December, indicating a net reinfection rate of 20.69%\r\nover this period.\r\nSearching our historical telemetry led us to a secondary, or backup, set of servers that became operational on\r\napproximately December 5, 2023. We assess that these servers were active until at least January 3, 2024. At that\r\ntime, Lumen took additional actions to null-route these IP addresses and impede their efforts to reinfect the SOHO\r\ndevices. As noted in the initial KV-botnet report, we focused more of our attention on the “KV cluster” as it was\r\nmore closely aligned with manual, targeted, high-value operations and tracking.\r\nWe carefully monitored this space over the month of January 2024 and have not detected any net new C2 servers\r\nbeing activated. The lack of an active C2 server combined with the FBI court-authorized action against KV-botnet\r\nand Lumen Technologies persistent null-routing of current and new KV cluster infrastructure provides a good\r\nindication that the KV activity cluster is no longer effectively active.\r\nThe router proxy “JDY cluster”\r\nThe cluster designated “JDY” was primarily used to perform mass internet scanning, presumably for\r\nreconnaissance. Based on our telemetry, we suspect the FBI’s takedown effort was focused on the activities of the\r\nKV-cluster, as JDY bots had signs of life through the middle of January 2024. We assess that as a byproduct of the\r\nFBI activity, the threat actor’s resources were diverted away from rebuilding the JDY cluster, resulting in a 15-day\r\nlapse in operational router proxy server activity.\r\nThe decline in the number of bots communicating with the router proxy server from December 2023 was\r\nsignificant. Originally hovering around 1,500 bots, the numbers fell to approximately 650 in mid-January 2024, a\r\nreduction of over 50%. In our original activity, Lumen Technologies null-routed the December router proxy\r\nservers on December 13; more recently we null-routed the newly established servers upon their discovery on\r\nJanuary 12, 2024, to further hamper communications between the bots and their C2.\r\nPublic emergence of the “x.sh” cluster\r\nIn early January 2024, additional public reporting discussed a third activity cluster dubbed “x.sh.” Black Lotus\r\nLabs telemetry indicates this activity cluster goes back to at least January 2023. Lumen acknowledges that the\r\nsame exploit was used to compromise the JDY and x.sh Cisco routers, based upon artifacts that were discoverable\r\nvia scan data. Furthermore, the x.sh cluster has a similar operational security measure as the KV and JDY clusters:\r\nthe operators only host the payloads for a short window of time, typically an hour, presumably when they are\r\nexploiting new devices.\r\nBlack Lotus Labs has not been able to recover the malware samples associated with the x.sh cluster payload\r\nservers. And while the JDY, KV, and Fortinet clusters all shared some backend infrastructure, x.sh used a different\r\nset of infrastructure. Considering all factors, we assess with moderate confidence that x.sh is a separate activity\r\ncluster and distinct from the other three.\r\nConclusion\r\nAs with the original report, we assess that this trend of utilizing compromised firewalls and routers will continue\r\nto emerge as a core component of threat actor operations, both to enable access to high-profile victims and to\r\nhttps://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/\r\nPage 3 of 5\n\nestablish covert infrastructure. There is a large supply of vastly out-of-date and generally considered end-of-life\r\nedge devices on the internet, no longer eligible to receive patches yet still performing well enough to stay in\r\nservice for end users. Attackers will continue to target medium to high-bandwidth devices as a springboard in the\r\ngeographic areas of their targets, given that users will be unlikely to notice an impact, or to have the necessary\r\nmonitoring forensic tools to detect an infection.\r\nWe assess that KV-botnet has encountered significant resistance over the past several weeks. We believe that the\r\nmain arm of the botnet, the KV cluster, has been rendered inert due to the action of U.S. law enforcement. We\r\nassess that the Fortinet activity had dissipated sometime in August of 2023. The JDY cluster has lost over half of\r\nits bots in the past month, but still remains operational. Finally, the signal associated with the x.sh cluster has been\r\nlost, likely due to public exposure.\r\nIn order to better visualize the data points that were highlighted throughout this report, we have created a timeline\r\nthat encompasses some of the more prominent events between mid-November 2023 and January 2024.\r\nTimeline\r\nNovember 14, 2023 (04:09:29 UTC): Threat actor swapped out the previously observed “BBC” x.509\r\ncertificate and replaced it with the “JDY” x.509 certificate.\r\nNovember 29, 2023 (06:00–07:00 UTC, 12:00–13:00 UTC): First wave of exploitation against Axis IP\r\ncameras; approximately 36 IPs targeted.\r\nNovember 30, 2023 (11:00–12:00 UTC): Second wave of exploitation against Axis IP cameras;\r\napproximately 232 IPs targeted.\r\nDecember 5, 2023 (08:09 UTC): New auxiliary callback server (152.32.138[.]247) observed performing\r\nits first interaction with a KV bot.\r\nDecember 5, 2023 (14:00–15:00 UTC): Exploitation wave against NetGear ProSAFE devices;\r\napproximately 171 IPs targeted.\r\nDecember 6, 2023: First FBI warrant (#5432) signed authorizing takedown actions of KV-botnet.\r\nDecember 8, 2023 (07:00–15:00 UTC): Threat actor conducted 8 straight hours of operations;\r\napproximately 2,098 IPs targeted.\r\nDecember 9, 2023 (03:00–13:00 UTC): Threat actor conducted 10 straight hours of operations;\r\napproximately 3,246 IPs targeted.\r\nDecember 11, 2023 (02:00–03:00 UTC): Threat actor conducted 1 hour of operations; approximately 270\r\nIPs targeted.\r\nDecember 11, 2023 (14:45 UTC): New payload server (95.162.229[.]105) interacted with bot.\r\nDecember 12, 2023 (17:51 UTC): Lumen null-routed KV cluster servers: 45.11.92[.]176, 193.36.119[.]48,\r\n216.128.180[.]232.\r\nDecember 13, 2023 (06:50 UTC): Lumen null-routed three Proxy Router C2 and previously identified\r\npayload server: 144.202.49[.]189, 159.203.113[.]25, 216.128.179[.]235.\r\nDecember 13, 2023 (17:00 UTC): Lumen released the public KV-botnet blog.\r\nJanuary 3, 2024 (15:10 UTC): Last observed beacon to the new 152.32.138[.]247 callback server.\r\nJanuary 8, 2024 (17:14 UTC): Lumen null-routed the payload server and callback server:\r\n152.32.138[.]247, 45.159.209[.]228.\r\nJanuary 12, 2024 (18:34 UTC): Router proxy IP addresses null-routed: 45.63.60[.]39, 45.32.174[.]131.\r\nhttps://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/\r\nPage 4 of 5\n\nMitigations and recommendations\r\nBlack Lotus Labs has added the IoCs from this campaign into the threat intelligence feed that fuels the Lumen\r\nConnected Security portfolio, and we continue to monitor for new infrastructure, targeting activity and expanding\r\nTTPs. In addition, we have null-routed traffic to the known points of infrastructure used by the KV-botnet.\r\nWe will continue to collaborate with the security research community to share findings related to this activity and\r\nensure the public is informed. We encourage the community to monitor for and alert on these and any similar\r\nIoCs.\r\nFurther, to protect networks from compromises by Volt Typhoon and others who may leverage sophisticated\r\nobfuscation networks such as KV-botnet:\r\nNetwork defenders: Look for large data transfers out of the network, even if the destination IP address is\r\nphysically located in the same geographical area.\r\nAll organizations: Consider comprehensive Secure Access Service Edge (SASE) or similar solutions to\r\nbolster their security posture and enable robust detection on network-based communications.\r\nConsumers with SOHO routers: Users should follow best practices of regularly rebooting routers and\r\ninstalling security updates and patches. Users should leverage properly configured and updated EDR\r\nsolutions on hosts and regularly update software consistent with vendor patches where applicable.\r\nAnalysis of the KV-botnet was performed by Danny Adamitis, Steve Rudd and Michael Horka. Technical editing\r\nby Ryan English.\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nIf you would like to collaborate on similar research, please contact us on social media @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use\r\nof this information is at the end user’s own risk.\r\nAuthor\r\nBlack Lotus Labs\r\nThe mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the\r\ninternet clean.\r\nSource: https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/\r\nhttps://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/" ], "report_names": [ "kv-botnet-dont-call-it-a-comeback" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434700, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3ffd1d14658a30532966cb6ed0632f93fc2bf80.pdf", "text": "https://archive.orkl.eu/e3ffd1d14658a30532966cb6ed0632f93fc2bf80.txt", "img": "https://archive.orkl.eu/e3ffd1d14658a30532966cb6ed0632f93fc2bf80.jpg" } }