A new Internet of Things (IoT) botnet, named “KV-Botnet,” has been linked to attacks on various US government and communication organizations. Detailed in a report by Lumen’s Black Lotus Labs, this botnet targets small-office home-office (SOHO) network devices made by at least four manufacturers. It is characterized by stealth features and the capability to spread through local area networks (LANs).

One key user of the KV-Botnet is the Volt Typhoon advanced persistent threat, also known as Bronze Silhouette, a Chinese state-aligned actor noted for targeting US critical infrastructure. The botnet was implicated in attacks on two telecommunications firms, an Internet service provider, and a US government entity in Guam, forming part of Volt Typhoon’s broader attack infrastructure.

Since February 2022, KV-Botnet has infected SOHO routers such as the Cisco RV320, DrayTek Vigor, and Netgear ProSafe series. By mid-November, it began exploiting IP cameras from Axis Communications. Controlled from China, the botnet is divided into two segments: the “KY” cluster, focusing on high-value targets with manual attacks, and the “JDY” cluster, employing less sophisticated techniques for wider targeting.

The majority of infections belong to the “JDY” cluster. However, the botnet has also targeted notable organizations including a judicial institution, a satellite network provider, US military entities, and a European renewable energy company.

KV-Botnet stands out for its advanced stealth. It operates entirely in memory, making it removable with a device restart. It avoids detection by terminating certain processes and security tools, disguising itself under random file names, and using random ports for command-and-control communication.

The choice of SOHO devices for the botnet offers several advantages. Jasson Casey, CEO of Beyond Identity, notes that residential devices are effective for hiding malicious traffic because they’re often not securely configured or regularly updated. They also tend to be ignored by home administrators, making them less likely to be monitored for compromises. Additionally, the high bandwidth of SOHO devices means that botnet activities typically go unnoticed by average users.

The Lumen researchers also identified benefits like the prevalence of end-of-life devices still in use, which are more vulnerable, and the ability to bypass geofencing restrictions.

While the KV-Botnet binary doesn’t inherently spread further infections within LANs, it allows attackers to deploy a reverse shell on infected devices for executing arbitrary commands or retrieving additional malware for LAN attacks. Casey emphasizes that these devices are attractive for threat actors due to their ease of compromise, difficulty in filtering against, and low likelihood of monitoring or investigation.