KV Botnet
Volt Typhoon's covert relay botnet of end-of-life Cisco and Netgear routers targeting US CNI.
Last refreshed: 30 April 2026 · Appears in 1 active topic
After the FBI disrupted KV Botnet in 2024, how did Volt Typhoon reconstitute it so quickly?
Timeline for KV Botnet
Sixteen agencies put IOC extinction in print
Cybersecurity: Threats and Defences- What is the KV Botnet and what is it used for?
- KV Botnet is a network of compromised end-of-life Cisco and Netgear routers used by China-state actor Volt Typhoon to relay its intrusion traffic against US critical infrastructure. The botnet hides the origin of the attacks behind what appears to be normal home and business router traffic. The April 2026 16-agency advisory confirmed it remains active despite a 2024 FBI disruption.Source: 16-agency advisory / FBI
- Did the FBI successfully shut down KV Botnet in 2024?
- The FBI disrupted an earlier version of KV Botnet in early 2024 using a court order to push malware-removal commands to compromised US routers. However, Volt Typhoon reconstituted the infrastructure. The 16-agency advisory of April 2026 confirmed that KV Botnet is still operational and being used for US CNI pre-positioning.Source: FBI / 16-agency advisory
- Why does Volt Typhoon use routers instead of dedicated servers for its botnet?
- End-of-life home and SME routers are an abundant, largely unmonitored attack surface. They cannot receive security patches, they are rarely logged or audited, and traffic originating from them looks identical to normal domestic internet usage. Using routers rather than dedicated servers makes it extremely difficult for defenders to distinguish Volt Typhoon relay traffic from legitimate network activity.Source: CISA / Microsoft
Background
KV Botnet is the covert relay infrastructure used by China-nexus actor Volt Typhoon to mask its intrusion traffic against US critical national infrastructure (CNI). The botnet is composed primarily of end-of-life Cisco and Netgear routers that lack available manufacturer security patches and cannot be updated, making them a persistent pool of compromisable relay nodes. Volt Typhoon routes its intrusion operations through these devices so that network defenders see connections originating from what appear to be legitimate home and SME routers rather than Chinese state infrastructure.
The FBI disrupted an earlier version of KV Botnet in early 2024 via a court-authorised operation that pushed malware-removal commands to hundreds of compromised routers across the United States. Despite that disruption, Volt Typhoon reconstituted its infrastructure. The 16-agency advisory of 23 April 2026 confirmed that KV Botnet remains active and was still being used for US CNI pre-positioning — formally connecting its management to Integrity Technology Group, the same Beijing company that operates Raptor Train for Flax Typhoon.
KV Botnet's significance for defenders lies not only in its role as a relay but in what it implies about Volt Typhoon's mission. The actor is assessed to be pre-positioning for sabotage rather than intelligence collection — placing persistent access inside US communications, utility, and transport infrastructure that could be activated during a future crisis such as a Taiwan contingency. KV Botnet is the logistical infrastructure that makes that pre-positioning survivable against detection.
