Routers Roasting on an Open Firewall: The KV-botnet Investigation


Published on Dec 16, 2023   —   2 min read

In today's interconnected world, the threat of cyber attacks is ever-present. A recent investigation by Black Lotus Labs at Lumen Technologies into the KV-botnet offers a stark reminder of this reality. This blog post delves into the details of the KV-botnet, a sophisticated malware campaign targeting small office/home office (SOHO) routers, and its implications for cybersecurity.

The Emergence of KV-botnet

The KV-botnet, active since at least February 2022, represents a covert data transfer network designed for advanced threat actors. It operates through two distinct logical clusters and features a complex infection process coupled with a well-concealed command-and-control (C2) framework. This botnet has specifically targeted devices at the network's edge, a vulnerability exacerbated by the recent shift to remote work.

The Technical Intricacies

The KV-botnet is divided into two clusters: the KV and JDY clusters. The KV component primarily consists of end-of-life products used by small businesses and home office users, evolving in its target devices from Cisco RV320s and DrayTek Vigor routers to NETGEAR ProSAFE devices and, most recently, Axis IP cameras.

The JDY cluster, on the other hand, exclusively comprises Cisco RV320 and RV325 routers. This cluster implemented less sophisticated techniques and was identified to average around 800 bots per month globally, peaking in September 2022.

The Malware's Modus Operandi

The malware initiates its infection process by running a bash script ( that removes existing security programs and other malware to avoid cohabitation on the device. It then proceeds through a multi-phase process, including downloading and installing files specific to the host machine's architecture. This process demonstrates the malware authors' meticulous approach to maintaining control over the infected devices.

Global Telemetry and Botnet Management

Lumen's global telemetry has played a crucial role in identifying and tracking the KV-botnet's activities. Their analysis revealed distinct functions performed by various Virtual Private Server (VPS) infrastructures in the botnet's management. This included upstream nodes, callback servers, payload servers, and router proxy servers.

Evolution and Operational Tactics

The KV-botnet has shown a capacity for evolution and adaptation. Its operational tactics have included using NETGEAR ProSAFE firewalls as relay nodes, targeting various organizations, and continuously rotating its infrastructure to avoid detection. Notably, the botnet's activities have been linked to the Volt Typhoon, a state-sponsored actor focusing on espionage and information gathering.


The KV-botnet investigation underscores the importance of robust cybersecurity measures, especially for SOHO devices often overlooked in the broader security landscape. As cyber threats continue to evolve, staying vigilant and adapting to these changing tactics will be crucial for safeguarding digital assets and infrastructure.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.