top of page

Chinese Hackers Exploit Outdated Routers for Covert Data Transfer

A cyber threat named Volt Typhoon, also recognized as the Bronze Silhouette, has been exposed as the mastermind behind a sophisticated botnet named "KV-botnet." Operating since at least February 2022, this threat actor strategically targets Small Office/Home Office (SOHO) routers, firewalls, and VPN devices, repurposing them for proxying malicious traffic. Reports from both Microsoft and the US government suggest that the KV-botnet is a crucial component of an infrastructure being constructed to potentially disrupt communications between the USA and Asia in the event of future conflicts.

The identified cyber campaign, attributed to the People's Republic of China, gains further credibility due to its alignment with Chinese Standard Time working hours, strongly suggesting the origin of the threat actor. The activities of the botnet unfold in two distinct clusters: the "JDY cluster," employing less sophisticated techniques for target scanning, and the more advanced "KV cluster," reserved for manual operations against high-profile targets.

Specifically, the KV-botnet focuses on exploiting end-of-life devices commonly used by Small Office/Home Office (SOHO) entities, leveraging their typically lower security measures. Devices such as Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFE firewalls were among the specific targets. The infection chain involves multiple files, including a bash script, allowing the threat actor to compromise devices by manipulating specific processes and removing default security tools.

In an effort to enhance evasion techniques, the botnets employ random ports for Command and Control (C2) communication and disguise their names to mimic existing processes. Threat actors interact with the botnets for various tasks, including data exfiltration, data transmission, network connection creation, and task execution, showcasing a sophisticated level of coordination. A comprehensive report, providing in-depth insights into the KV-botnet's infection chain, process execution, attack methods, evasion techniques, and other critical information, has been published. This report sheds light on the intricate workings of this cyber threat, underlining the importance of understanding and countering such advanced threats in the evolving landscape of cybersecurity.


bottom of page