Campaign · all campaigns
KV Botnet ActivityC0035 state
🇨🇳 CN · PLA
aka KV Botnet Activity
Run by Volt Typhoon
Last updated: 2026-07-03
About this actor
[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. [KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) was used by [Volt Typhoon](https://attack.mitre.org/groups/G1017) to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.(Citation: Lumen KVBotnet 2023) This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.(Citation: DOJ KVBotnet 2024)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2022-27997 | 0.0 | 0.0 | 0.0000 | see CVE |
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
CM-6 | 13 / 28 | 46% |
SI-4 | 13 / 28 | 46% |
AC-3 | 11 / 28 | 39% |
CA-7 | 11 / 28 | 39% |
SI-3 | 11 / 28 | 39% |
AC-6 | 10 / 28 | 36% |
CM-2 | 10 / 28 | 36% |
AC-2 | 9 / 28 | 32% |
SI-7 | 8 / 28 | 29% |
CM-7 | 7 / 28 | 25% |
AC-5 | 6 / 28 | 21% |
SC-7 | 6 / 28 | 21% |
CM-5 | 5 / 28 | 18% |
IA-2 | 5 / 28 | 18% |
AC-4 | 4 / 28 | 14% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- Rocke 0.26
- RedPenguin 0.25
- Play 0.21
- Tropic Trooper 0.20
- FLORAHOX Activity 0.19
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00