Cyber Resilience

Campaign · all campaigns

KV Botnet ActivityC0035 state

🇨🇳 CN · PLA

aka KV Botnet Activity

Run by Volt Typhoon

Last updated: 2026-07-03

1attributed CVEs
28ATT&CK techniques
4.3IDF score (tooling uniqueness)
1exclusive CVEs
years active

About this actor

[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. [KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) was used by [Volt Typhoon](https://attack.mitre.org/groups/G1017) to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.(Citation: Lumen KVBotnet 2023) This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.(Citation: DOJ KVBotnet 2024)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2022-27997 0.00.00.0000see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
CM-613 / 2846%
SI-413 / 2846%
AC-311 / 2839%
CA-711 / 2839%
SI-311 / 2839%
AC-610 / 2836%
CM-210 / 2836%
AC-29 / 2832%
SI-78 / 2829%
CM-77 / 2825%
AC-56 / 2821%
SC-76 / 2821%
CM-55 / 2818%
IA-25 / 2818%
AC-44 / 2814%

Co-occurring actors

None.

Similar actors

Similar TTPs

Same nation-state