Chinese hackers Volt Typhoon are back, and rebuilding their botnet to target new victims

News
By published

New botnets are popping up across the US

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • Volt Typhoon is rapidly rebuilding its botnet of legacy routers
  • Traffic is being obscured through webshells and MIPS-based malware
  • Critical infrastructure needs to upgrade away from EOL devices

US allies and authorities recently dismantled parts of a network of legacy routers in small offices and home offices (SOHO) infected with the KV Botnet malware, used by the notorious Volt Typhoon group to target US critical infrastructure.

However, a huge new botnet targeting the same vulnerable legacy edge devices within critical infrastructure is rapidly growing, and Security Scorecard’s STRIKE Team thinks it is Volt Typhoon emerging from the ashes.

‘End-of-life’ (EOL) devices, those for which manufacturer support has ended, are again the main targets for this growing network.

SOHO and EOL devices

This time, Volt Typhoon has adapted to more effectively obscure its traffic using a number of tactics. By using SOHO and EOL devices, Volt Typhoon can maintain persistence within legacy routers without fear of security updates that could potentially boot them from their infrastructure. The group has also been spotted using MIPS-based malware to hide its connections and communications through port forwarding via 8433.

Webshells are also being implanted into routers to maintain remote control, which also disguise malicious traffic inside the router's standard network operations. Many of these devices have been detected on the Pacific island of New Caledonia, acting as a transfer point for traffic coming from Volt Typhoon in the Asia-Pacific region heading into the US, and vice versa.

The prime targets of Volt Typhoon’s activities are Cisco RV320/325 and Netgear ProSafe routers. Software maintenance releases and bug fixes for the Cisco RV320/325 ended in 2021, with STRIKE Team highlighting that Volt Typhoon compromised 30% of visible Cisco RV320/325 routers in just 37 days, with government and critical infrastructure being prime targets.

STRIKE Team recommends that government departments should address weaknesses such as the use of legacy devices within critical infrastructure to reduce the number of potential vulnerabilities and access points for cyber criminal organizations and state-sponsored groups.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
China
Salt Typhoon strikes again - more US ISPs, universities and telecoms networks hit by Chinese hackers
China
Chinese hackers targeting Juniper Networks routers, so patch now
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
China US flags cropped
Guam's critical infrastructure is under attack - and Volt Typhoon is the top suspect
Latest in Pro
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
Context Windows
Why are AI context windows important?
BERT
What is BERT, and why should we care?
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
More about pro
HP ZBook Ultra G1a

HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
Asus Ascent GX10 Rear

Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
Nintendo Switch 2 Joy-Con up-close from app store

Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
See more latest
Most Popular
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA