CyberWire Daily Botnet’s back, tell a friend. [Research Saturday]
9 snips
Jul 5, 2025 
Silas Cutler, Principal Security Researcher at Censys, dives into the elusive Volt Typhoon threat group in this discussion. He reveals how recent FBI disruptions targeted the KV Botnet yet left its control infrastructure largely intact. The conversation uncovers the botnet's surprising resilience, with shifts in control servers hinting at adaptive strategies. Cutler emphasizes the challenges in attributing cyber threats and the importance of collaborative cybersecurity efforts to tackle nation-state actors and safeguard critical systems.
AI Snips
Chapters
Transcript
Episode notes
Distinct Operational Roles
- Volt Typhoon appears to have distinct operational roles, with separate teams for the botnet infrastructure and hands-on attacks.
- This separation may explain their unusual lack of changes after FBI disruption efforts.
No Changes Post-FBI Disruption
- After FBI disruption, Volt Typhoon unusually did not change their malware SSL certificates.
- This suggests a deliberate choice possibly due to contract terms restricting changes to maintain non-attribution.
Track Infrastructure via SSL Certificates
- Monitor SSL certificates and internet fingerprints to track threat actor infrastructure changes.
- Use continuous internet scanning to identify shifts in control servers as indicators of botnet adaptation.