US Disrupts Volt Typhoon KV Botnet Built on Compromised SOHO Routers
The U.S. Department of Justice said a court-authorized FBI operation disrupted the KV Botnet, a network of hundreds of compromised small office and home office routers that the PRC-linked group Volt Typhoon used to mask follow-on intrusions against U.S. and foreign targets, including critical infrastructure. Officials said the botnet relied heavily on end-of-life Cisco and NetGear devices, and that the FBI removed malware from affected U.S.-based routers and severed communications with botnet controllers without disrupting legitimate router functions or collecting content. The government tied the activity to broader Chinese pre-positioning against sectors including communications, energy, transportation, and water, while warning that unsupported devices remain vulnerable to reinfection unless replaced or fully remediated.
Reporting on the takedown said the action mirrored earlier U.S. botnet disruptions such as the 2022 operation against Cyclops Blink, the Sandworm/GRU botnet that abused WatchGuard and ASUS devices as command-and-control infrastructure. Subsequent research from Censys found that KV Botnet control infrastructure evolved after the December 2023 disruption, with operators in the JDY cluster largely retaining the same infrastructure patterns while shifting hosting providers and continuing activity linked to vulnerable Cisco RV320/RV325 routers. The researchers said the botnet’s comparatively exposed infrastructure did not fully match Volt Typhoon’s usual stealthy tradecraft, raising questions about whether the KV Botnet was operated directly by Volt Typhoon or by a separate but related actor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Censys questions whether KV Botnet is truly operated by Volt Typhoon
On 2025-01-16, Censys published analysis of the JDY/KV Botnet's 2024 infrastructure evolution and argued that its relatively exposed, unsophisticated operational behavior did not fully match Volt Typhoon's known stealthy tradecraft. The researchers suggested the botnet may be operated by a separate party despite public attribution to Volt Typhoon.
U.S. publicly announces KV Botnet takedown
On 2024-01-30/31, the DOJ and FBI publicly disclosed the December 2023 disruption of the KV Botnet, warning that many end-of-life Cisco and NetGear routers remained vulnerable to reinfection unless replaced or mitigated. The announcement also said the FBI was notifying affected owners and continuing to investigate Volt Typhoon intrusions.
FBI disrupts KV Botnet used by Volt Typhoon
In December 2023, the U.S. government conducted a court-authorized operation to remove KV Botnet malware from hundreds of compromised U.S.-based SOHO routers and temporarily cut communications with botnet controllers. Officials said the PRC-linked Volt Typhoon group used the botnet to conceal follow-on intrusions against critical infrastructure and other targets.
JDY/KV Botnet control servers appear with 'jdyfj' certificate
Beginning in November 2023, researchers observed new control servers associated with the JDY cluster using a certificate containing the string "jdyfj." Later analysis linked this infrastructure to the KV Botnet ecosystem tied to Volt Typhoon activity.
DOJ disrupts Sandworm's Cyclops Blink botnet
In March 2022, the Justice Department and FBI carried out a court-authorized operation to copy and remove Cyclops Blink malware from vulnerable firewall devices used as command-and-control infrastructure and to close management ports used by Sandworm. The action severed Russian GRU control over thousands of infected devices, while victim notification and remediation efforts continued.
Agencies publicly identify Cyclops Blink malware and Sandworm ties
On 2022-02-23, the UK NCSC, CISA, the FBI, and the NSA issued a joint advisory identifying Cyclops Blink malware, attributing it to Sandworm/GRU, and warning that it targeted WatchGuard and ASUS network devices. Vendors also began publishing detection and remediation guidance.
KV Botnet operators migrate infrastructure after disruption
By April 2024, researchers assessed that some JDY/KV Botnet servers had been brought online in response to the FBI disruption and were later migrated again, largely by changing hosting providers rather than overhauling the infrastructure. This showed the botnet's control infrastructure persisted after the takedown.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Tidal Cyber - Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
app.tidalcyber.com
Open sourceWill the Real Volt Typhoon Please Stand Up? - Censys
censys.com
Open sourceOffice of Public Affairs | U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure | United States Department of Justice
justice.gov
Open sourceUS confirms takedown of China-run botnet targeting home and office routers | The Record from Recorded Future News
therecord.media
Open sourceFBI shuts down some of China's Volt Typhoon network
theregister.com
Open sourceOffice of Public Affairs | Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) | United States Department of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Groups Built Covert Botnets From Compromised Routers and IoT Devices
A joint advisory from the UK **NCSC**, the United States, and other international partners warned that China-nexus threat actors are increasingly using large covert networks of compromised **SOHO routers, IoT devices, firewalls, and NAS systems** to route malicious traffic, hide attribution, and support espionage and disruptive operations. The warning said these botnet-style proxy networks are used across the full cyber kill chain, from reconnaissance and malware delivery to command-and-control and data theft, and identified activity tied to **Volt Typhoon**, **Flax Typhoon**, and the **Raptor Train** botnet. Officials said Volt Typhoon’s **KV Botnet** relied heavily on end-of-life Cisco and Netgear routers, while Raptor Train infected more than **200,000** devices worldwide and was reportedly controlled by **Integrity Technology Group**. Governments said the scale and churn of these compromised-device networks make traditional static IP blocklists increasingly ineffective, creating what some reporting described as rapid indicator loss or “IOC extinction.” Agencies urged organizations to map internet-facing and edge assets, baseline normal traffic from routers and IoT devices, enforce **MFA**, apply dynamic threat intelligence, use allow-listing and **zero trust** controls, and actively hunt for suspicious proxy-node behavior on residential, branch, and enterprise-connected infrastructure. The disclosures also linked the threat to broader Chinese pre-positioning activity against critical infrastructure and telecom environments, underscoring how weakly secured edge devices continue to provide durable operational cover for state-backed intrusions.
Apr 27, 2026
Flax Typhoon Used Raptor Train IoT Botnet to Mask Critical Infrastructure Intrusions
U.S. authorities and private-sector researchers said the China-linked threat actor **Flax Typhoon** operated a sprawling IoT botnet known as **Raptor Train** to conceal intrusions into critical infrastructure networks. Black Lotus Labs said the botnet had been active since 2020, at one point exceeding 60,000 live nodes and compromising more than 200,000 routers, NAS devices, IP cameras, and other internet-exposed systems. The operation used a multi-tier architecture and a custom Mirai-derived implant called `Nosedive`, which enabled remote command execution, file transfer, and retained **DDoS** capability while using in-memory execution and anti-forensics techniques. Researchers linked the activity to targeting in the United States and Taiwan across government, military, telecommunications, higher education, defense industrial base, and IT sectors, alongside scanning and likely exploitation attempts against **Atlassian Confluence** and **Ivanti Connect Secure** appliances. The **FBI** and Department of Justice said they disrupted the botnet in a court-authorized operation that removed malware from infected routers, and officials later said the action effectively dismantled infrastructure used by Chinese operators to hide follow-on hacking. Subsequent reporting said the botnet exploited dozens of vulnerabilities across edge and IoT products, with VulnCheck identifying **66 actively targeted CVEs** tied to the campaign, far more than were listed in CISA’s Known Exploited Vulnerabilities catalog. Additional reporting also pointed to corporate links around **Integrity Technology**, described as connected to Flax Typhoon and tied through competitive, partner, and client relationships to **i-SOON**, adding to the picture of a broader Chinese intrusion ecosystem supporting espionage and potential disruptive operations.
May 26, 2026
China-Linked JDY Botnet Expands as Recon Platform Targeting U.S. Military Networks
The China-linked **JDY botnet** has grown from roughly 650 devices in early 2024 to more than **1,500 compromised SOHO and IoT systems**, according to Lumen Black Lotus Labs, and is being used primarily for **cyber reconnaissance** rather than disruptive attacks. Researchers said the infrastructure, previously tied to a cluster within **KV-botnet** and associated with Chinese state-backed activity including support for **Volt Typhoon**, performs scanning, service fingerprinting, banner grabbing, TLS certificate collection, and vulnerability-focused discovery. Many infected nodes are located in the **United States and Brazil**, and the activity shows a strong emphasis on **U.S. military and related networks**. The operators reportedly move quickly after new vulnerabilities are disclosed, with researchers observing targeting tied to **`CVE-2026-35616`** soon after Fortinet revealed the **FortiClient EMS** flaw, indicating reconnaissance data is being gathered for possible follow-on exploitation. JDY uses **Tor hidden services** for command-and-control, can leverage the **Platypus** reverse-shell and host-management framework, and adjusts its scanning techniques based on device privileges, including high-speed raw SYN scanning when elevated access is available. The report warns that compromised edge devices from multiple vendors are being folded into the botnet and urges organizations to patch routers, firewalls, and IoT devices, disable unnecessary internet-exposed administration, restrict remote management, replace default credentials, and watch for unusual outbound scanning.
Jun 17, 2026