Dismantled Volt Typhoon botnet’s restoration underway

Numerous Cisco and Netgear routers have been compromised by Chinese state-backed cyberespionage operation Volt Typhoon since September as part of efforts to reconstruct its KV-Botnet malware, which had been unsuccessfully revived after being disrupted by the FBI in January, BleepingComputer reports.

Volt Typhoon sought to rebuild KV-Botnet, also known as JDYFJ Botnet, through attacks deploying MIPS-based malware and web shells against primarily Asia-based Cisco RV320/325 and Netgear ProSafe series devices, with nearly 30% of all online Cisco devices breached in a little over a month, an analysis from SecurityScorecard's STRIKE Team researchers revealed. Malicious activities have been concealed through traffic routing, with the botnet's network bolstered by the use of Digital Ocean, Vultr, and Quadranet-based command servers. "We don't know specifically what weakness or flaw is being exploited. However, with the devices being end-of-life, updates are no longer provided," said researchers, who warned that the activity signifies Volt Typhoon's imminent global operations.