Back

Resurgence of KV Botnet Linked to Chinese State Actors

Severity: High (Score: 75.8)

Sources: www.lumen.com, Theregister

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: chinese, data, botnet, dont, call, comeback, agents

Severity indicators: ot, botnet

Summary

Chinese operatives have revived the KV-botnet, a covert data transfer network previously dismantled by the FBI in January 2024. The botnet, which primarily exploits vulnerable routers and IoT devices, has seen a resurgence with over 1,500 compromised devices, particularly in the JDY cluster used for reconnaissance. This activity follows a significant drop in operations after the FBI's takedown, indicating a shift in tactics by the threat actors. The botnet's resurgence is coupled with attempts to influence public opinion on AI datacenter construction, although these efforts have largely failed. The U.S. military and critical infrastructure sectors remain primary targets of this renewed activity. Lumen Technologies has reported ongoing monitoring and analysis of these developments, emphasizing the need for heightened vigilance against such state-sponsored cyber threats. Key Points: • KV-botnet, linked to Chinese state actors, has resurfaced with over 1,500 compromised devices. • The JDY cluster, used for reconnaissance, remains active despite previous takedown efforts. • Chinese operatives are also attempting to influence public opinion on AI datacenters.

Detailed Analysis

**Impact** The botnet resurgence primarily affects U.S. critical infrastructure, with a focus on military and associated sectors. Approximately 1,500 routers and IoT devices remain compromised in the JDY cluster, while the KV cluster targeted 2,100 NetGear ProSAFE devices during re-exploitation efforts in December 2023. The threat actors aim to conduct espionage, covert data transfer, and reconnaissance, posing risks to operational continuity and sensitive data integrity across government and private networks. **Technical Details** The attack leveraged vulnerabilities in end-of-life SOHO routers and firewalls, particularly NetGear ProSAFE devices, to establish covert command and control (C2) networks. The KV cluster functioned as a data transfer network, while the JDY cluster conducted scanning and reconnaissance. The FBI’s court-authorized takedown in December 2023 disrupted the KV cluster, but JDY remains active. Threat actors rapidly operationalize reconnaissance following public vulnerability disclosures. Specific CVEs or IOCs were not detailed in the articles. **Recommended Response** Apply all relevant patches and firmware updates to SOHO routers and firewall devices, especially NetGear ProSAFE models. Deploy network monitoring to detect unusual scanning and C2 communication patterns consistent with JDY and KV cluster behaviors. Implement CISA and NCSC guidance for defending against China-nexus APT activity. Monitor for newly disclosed vulnerabilities and apply mitigations promptly. No specific IOCs were provided for direct blocking.

Source articles (2)

  • Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate — Theregister · 2026-06-11
    Multiple reports indicate that Chinese operatives continue using every tech tool at their disposal – including American AI – to amass data on and manipulate everyone from security-clearance holders to…
  • Kv Botnet Dont Call Comeback — www.lumen.com · 2026-06-11
    On December 13, 2023, Black Lotus Labs reported our findings on the KV-botnet , a covert data transfer network used by state- actors based in China to conduct espionage and intelligence activities tar…

Timeline

  • 2023-12-06 — FBI initiates takedown of KV-botnet: The FBI conducted a court-authorized operation against the KV-botnet, targeting its command and control structure.
  • 2024-01-01 — KV-botnet officially declared dismantled: The FBI announced the successful takedown of the KV-botnet, which had been used for espionage against U.S. critical infrastructure.
  • 2024-01-10 — KV-botnet operators attempt to rebuild: Reports indicated that operators were trying to re-establish the KV-botnet's infrastructure shortly after the takedown.
  • 2026-06-11 — Lumen reports resurgence of KV-botnet: Lumen's Black Lotus Labs reported a significant resurgence of the KV-botnet, with over 1,500 compromised devices active in reconnaissance.
  • 2026-06-11 — Chinese influence operations using AI reported: OpenAI reported banning accounts likely from China using its AI for covert operations related to public opinion on AI datacenters.

Related entities

  • Volt Typhoon (Apt Group)
  • Botnet (Attack Type)
  • Malware (Attack Type)
  • CISA (Company)
  • Department of Justice (Company)
  • NCSC (Company)
  • OpenAI (Company)
  • X (Company)
  • China (Country)
  • attacks.in (Domain)
  • catalystglobalsolutions.com (Domain)
  • centrikglobalconsulting.com (Domain)
  • cydfconsulting.com (Domain)
  • finnaclevesperconsulting.com (Domain)
  • geoindopacific.com (Domain)
  • gpf-ina.org (Domain)
  • pulsewaveglobal.com (Domain)
  • rightinfoconsult.com (Domain)
  • safesec-group.com (Domain)
  • thehorizzen.com (Domain)
  • thetruthinfo.com (Domain)
  • typhoon.in (Domain)
  • vandercons.com (Domain)
  • Government (Industry)
  • KV-botnet (Malware)
  • T1046 - Network Service Discovery (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • Axis IP Cameras (Platform)
  • Cisco Rv320/325 (Platform)
  • DrayTek Vigor Routers (Platform)
  • NetGear ProSAFE (Platform)
  • ChatGPT (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed