KV-Botnet SOHO Router Infrastructure
Technical analysis of KV-Botnet SOHO router proxy network used by Chinese state-sponsored actors.
Continue your mission
Technical analysis of KV-Botnet SOHO router proxy network used by Chinese state-sponsored actors.
# KV-Botnet SOHO Router Infrastructure
The KV-Botnet is a persistent, state-sponsored network of compromised small office/home office (SOHO) routers and Internet of Things (IoT) devices that the People's Republic of China threat actor Volt Typhoon assembled to proxy intrusion operations through domestic United States IP addresses. Rather than routing malicious traffic from identifiable foreign infrastructure, Volt Typhoon routes commands and exfiltrated data through routers sitting in American homes and businesses, blending seamlessly with legitimate residential and commercial internet activity. The botnet solves a fundamental operational security problem for the actor: geolocation-based defenses, anomaly detection tuned to foreign IP ranges, and network perimeter rules that block known threat actor infrastructure become largely ineffective when the attacking traffic originates from a Comcast or AT&T IP address three miles from the victim organization.
---
The KV-Botnet is a multi-stage, covert relay network built from end-of-life and unpatched SOHO networking equipment. Confirmed device categories include Cisco RV320 and RV325 dual-gigabit WAN VPN routers, Netgear ProSAFE series routers, DrayTek Vigor routers, and Axis Communications network-attached cameras. The botnet infrastructure serves as a proxy and anonymization layer for Volt Typhoon intrusion campaigns targeting United States critical infrastructure sectors, including communications, energy, transportation, and water systems.
KV-Botnet is not a traditional malware botnet designed for spam distribution, credential harvesting, or DDoS attacks. It does not monetize compromised devices through ransomware or cryptomining. It is not opportunistic; device selection appears deliberate, prioritizing routers with high bandwidth, persistent uptime, and known unpatched vulnerabilities. It is also distinct from general-purpose anonymization networks such as Tor or commercial VPN services. The botnet is purpose-built for a specific nation-state operational requirement: deniable, domestically sourced network access to facilitate long-duration, low-volume reconnaissance and pre-positioning operations.
Two functional subtypes have been identified by researchers at Lumen Technologies' Black Lotus Labs. The "KV" cluster comprises the primary router-based relay nodes. A secondary cluster, referred to as "JDY," consists of lower-sophistication compromised devices used for scanning and initial target identification. The JDY cluster is noisier and less protected, suggesting it is used for preparatory reconnaissance before KV-cluster assets are committed to higher-sensitivity operations. This tiered architecture reflects deliberate operational compartmentalization by the threat actor.
---
Initial Compromise
Volt Typhoon operators identify candidate SOHO devices through internet-wide scanning, likely using Shodan-style enumeration or proprietary scanning infrastructure (the JDY cluster itself may perform this function). Target selection focuses on devices running end-of-life firmware for which no vendor patches exist and for which default or weak administrative credentials are common. Cisco RV320/RV325 routers, for example, reached end-of-life in 2019 and carry publicly documented remote code execution vulnerabilities including CVE-2019-1652 and CVE-2019-1653, which allow unauthenticated command injection and information disclosure respectively. DrayTek Vigor routers have carried similar remote code execution flaws exploited in multiple nation-state campaigns.
Once a vulnerable device is identified, operators exploit the firmware vulnerability to gain root-level access. No user interaction is required. The exploitation typically occurs over HTTP or HTTPS to the device's management interface, which is frequently exposed to the public internet by default or by misconfiguration.
Malware Deployment and Persistence
After gaining access, operators deploy a custom implant designed specifically for the MIPS or ARM processor architectures common in SOHO routers. The malware is written to survive router reboots where possible, though on devices where firmware-level persistence is impractical, operators rely on the statistical reality that many SOHO routers run for months or years without being power-cycled. The implant includes several functional modules: an encrypted command and control (C2) communications channel, a traffic relay component that forwards packets between the upstream operator infrastructure and downstream target networks, and a self-protection component that terminates competing malware processes and obscures the implant's presence in process listings.
The C2 channel uses encrypted communications to disguise operator instructions as normal HTTPS traffic. Because the traffic originates from a legitimate residential or small-business router, it blends with the enormous volume of normal encrypted traffic traversing ISP networks.
Operational Relay Function
Once a sufficient pool of compromised routers is established, Volt Typhoon operators route their intrusion traffic through chains of KV-Botnet nodes before reaching target organizations. A simplified operational scenario illustrates the mechanism:
An operator in the PRC issues a command to a KV-Botnet controller. The controller passes the instruction to a compromised Netgear router in suburban Ohio. That router forwards a connection attempt to the target organization, a regional electric utility in the Mid-Atlantic United States. From the utility's network monitoring perspective, the connection originates from a residential Ohio IP address, not from foreign infrastructure. If the utility's security team queries that IP address against threat intelligence feeds, it returns no hits, because the router was only recently compromised and has not yet appeared on block lists. The operator conducts slow, deliberate reconnaissance, querying Active Directory, mapping OT network segments, and identifying SCADA system access paths, all at a pace designed to avoid triggering volumetric anomaly detection.
Traffic Volume and Tempo
The "low and slow" tempo is a deliberate design constraint. KV-Botnet operations are characterized by infrequent connections, small data transfers, and long dwell times measured in months to years. This directly challenges security monitoring tools calibrated to detect high-volume or high-frequency intrusion patterns. Commands sent through the botnet are spaced to mimic manual administrator activity rather than automated scanning tools. Data exfiltration occurs in small bursts during business hours when encrypted traffic is expected. This behavioral masquerade requires analysts to distinguish between legitimate remote administration and malicious access based on subtle contextual signals rather than obvious volumetric thresholds.
Operational Security Rotation
Volt Typhoon operators rotate through botnet nodes, avoiding repeated use of the same relay router against the same target. This behavior frustrates IP-based blocking: by the time a compromised router appears on a threat intelligence feed and gets blocked, operators have already shifted to a different node. The pool of potentially compromised EOL SOHO devices in the United States numbers in the hundreds of thousands, providing an effectively inexhaustible rotation pool.
---
The strategic significance of the KV-Botnet extends well beyond the technical details of any individual compromised router. Volt Typhoon's operational objective, as assessed by the FBI, CISA, and NSA in their February 2024 joint advisory, is not espionage in the traditional sense of stealing secrets. The objective is pre-positioning: establishing persistent access to US critical infrastructure networks so that, in the event of a conflict in the Taiwan Strait or another geopolitical crisis, PRC operators can activate disruptive or destructive capabilities against power grids, water systems, pipelines, and communications infrastructure. The KV-Botnet is the access enablement mechanism for this pre-positioning campaign.
The Misconception of Foreign-Origin Detection
A pervasive misconception among enterprise security teams is that nation-state intrusions from Chinese actors will be detectable by their foreign origin. Security operations centers frequently apply geolocation-based alerting rules that flag connections from PRC, Russian, or North Korean IP ranges. KV-Botnet renders this control category largely irrelevant. When the attacking IP address belongs to a residential ISP block in Virginia, Ohio, or Texas, geolocation rules do not trigger. This misconception is not hypothetical: post-incident analysis of Volt Typhoon intrusions at affected organizations has identified cases where the initial access connections generated no alerts because they appeared to be domestic traffic.
Incident Consequence and Scale
The most concrete documented consequence of KV-Botnet operations is the scope of access Volt Typhoon achieved before the January 2024 FBI disruption operation. Congressional testimony and public advisories confirmed that Volt Typhoon had maintained persistent access to multiple US critical infrastructure networks, in some cases for five or more years, without detection. The compromised organizations included entities in the communications sector whose networks underpin 911 emergency services and military logistics communications. The operational implication is severe: an adversary had positioned itself to potentially disrupt emergency response infrastructure during a crisis, and the access pathway ran through routers in American homes and small businesses.
The disruption operation itself demonstrates the scale of the threat. FBI agents executed court-authorized commands against over 260 compromised SOHO devices to remove the KV-Botnet implants. This figure represents only the devices that were positively identified and legally accessible for remediation. Intelligence assessments suggest the total population of compromised devices was significantly larger.
---
CDA approaches the KV-Botnet threat through the Planetary Defense Model, applying two primary domains: Threat Intelligence and Detection (TID) and Security Posture and Hygiene (SPH). The governing methodology is Predictive Defense Intelligence (PDI), which CDA summarizes as "See the threat before it sees you." Applied to KV-Botnet, PDI means that defenders cannot wait for a KV-Botnet relay node to appear on a commercial threat intelligence feed before acting; by that point, the operator has already rotated away. The intelligence requirement must be shifted earlier in the kill chain.
TID Application
CDA's TID practice, when applied to organizations in critical infrastructure sectors or sectors adjacent to them, begins with adversary-specific profiling of Volt Typhoon's operational patterns. This includes ingesting and operationalizing the specific network behavioral indicators documented by Black Lotus Labs and government advisories: connection timing patterns, encrypted tunnel establishment sequences, and the specific device types most commonly recruited into the botnet. Rather than blocking specific IPs reactively, CDA recommends that security teams implement behavioral detection rules that flag connections exhibiting KV-Botnet-consistent patterns regardless of source IP reputation. Concretely, this means network detection rules that identify encrypted sessions originating from residential ISP IP space, connecting to internal segments with no prior communication history, at irregular intervals consistent with operator-paced manual activity rather than automated processes.
SPH Application
The SPH dimension addresses the supply side of the botnet: the pool of vulnerable SOHO devices. CDA recommends that organizations with any remote-worker population or branch office environments audit the networking equipment used by those populations. End-of-life devices (specifically Cisco RV3xx series, Netgear ProSAFE devices without current firmware support, and DrayTek Vigor models no longer receiving security updates) should be identified and replaced on a defined schedule, not deferred to budget cycles. CDA's asset inventory methodology explicitly includes SOHO and home-office devices where those devices connect to corporate networks via VPN or split-tunnel configurations, because those devices represent a direct network adjacency to protected environments.
What CDA Does Differently
Most threat intelligence programs treat KV-Botnet as an inbound threat, something targeting their organization. CDA's PDI methodology also treats it as an outbound hygiene problem: if devices connected to your network are KV-Botnet nodes, your organization's traffic may be used to attack others, and your IP addresses may appear on threat intelligence block lists. This bidirectional threat modeling is operationally distinctive.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.