CyberWire Daily Botnet’s back, tell a friend. [Research Saturday]
8 snips
Mar 8, 2025 
Silas Cutler, Principal Security Researcher at Censys, dives into the enigmatic Volt Typhoon and its botnet, KV. He explains how the FBI's efforts disrupted infected systems without affecting the control infrastructure, suggesting a stealthy operator behind the scenes. Analysis reveals shifts in the botnet’s control servers in response to law enforcement. The conversation also tackles the challenges of attributing cyber threats, the strategic use of U.S. hosting for disguise, and the surprising links between patent databases and cybersecurity vulnerabilities.
AI Snips
Chapters
Transcript
Episode notes
Potential Separate Actors
- The KD.net activity may be a different actor or one supporting Volt Typhoon.
- This suggests distinct operators for different attack stages.
Volt Typhoon Tradecraft
- Volt Typhoon, believed to be Chinese, uses unique tradecraft.
- They utilize living-off-the-land techniques, especially in Guam, according to a Microsoft report.
Unchanged Certificate
- Volt Typhoon uses a distinct SSL certificate for its first-stage malware.
- Despite FBI disruption, this certificate remained unchanged, raising questions.