A botnet operated by the Volt Typhoon threat group, used to target critical national infrastructure around the world, has reappeared after being severely disrupted earlier this year, according to a new report.
The network of compromised network devices, orchestrated by the Chinese state-affiliated threat collective, consisted of hundreds of US-based small office/home office (SOHO) routers, and was used to attack critical-national infrastructure in the region.
Global law enforcement agencies targeted the botnet in a joint operation carried out in January 2024, “wiping out the KV Botnet from hundreds of routers nationwide”, according to the statement released by the US Justice Department’s Office for Public Affairs..
But findings from a new report indicate the group has been able to get back up and running quickly, setting up new infrastructure for malicious activity.
On 12 November, SecurityScorecard declared its threat intelligence ‘STRIKE’ team had recently observed the group exploiting outdated Cisco RV320/325 and Netgear ProSafe routers, described as “perfect entry points” for cyber criminals.
The report warned the group is “more sophisticated and determined than ever”, stating that in just 37 days it had compromised 30% of the visible Cisco RV320/325 routers, using them as operational relay boxes.
Volt Typhoon uses the compromised boxes to help disguise their nefarious actions, SecurityScorecard noted.
“These compromised routers act as digital chameleons, facilitating the covert movement of data while mimicking normal network traffic.”
Analysts observed the group using a MIPS-based malware strain, similar to Mirai, to establish covert connections and communicate via port forwarding over 8443, helping keep their command operations hidden from security teams.
The report added that the group implant webshells such as fy.sh on the routers to ensure it has continued access and control over the device, allowing the group to maintain persistence on the target network.
“The attack doesn’t just hide—it integrates seamlessly into routine network operations. The result? A resilient foothold, particularly within governmental and critical infrastructure sectors, that camouflages malicious activities and complicates any cleanup efforts.”
Volt Typhoon’s Pacific island hub is ‘crucial’ to global operations
Although the group has not been known to directly deploy ransomware, the report noted it operates in a threat landscape shaped by the emergence of the ransomware as a service (RaaS) model.
In this ecosystem, cyber criminals use ransomware attacks to carry out more espionage-focused campaigns, reinvesting the profits from their digital extortion activities into more sophisticated tooling.
SecurityScorecard highlighted the fact that the global operations of Volt Typhoon rely on a single compromised VPN device in New Caledonia, a tiny island in the Pacific Ocean which acts as a crucial node linking their Asian and American activities.
Volt Typhoon established its presence, described as a ‘silent bridge’, on the island in October 2023, according to the report.
The island acts as a secret hub which helps the group route traffic between the Asia-Pacific and American regions without detection, extending the reach of the botnet without exposing it to law enforcement groups.
The report stated that as of September 2024, the botnet was alive and well, using a cluster named JDYFJ to covertly route traffic around the world, with the connections from New Caledonia and router nodes staying active for over a month, “reinforcing Volt Typhoon’s infrastructure”.
