Will the Real Volt Typhoon Please Stand Up?

Description

This analysis tracks the evolution of the KV Botnet, attributed to the Volt Typhoon threat group, following FBI disruption in December 2023. Despite sophisticated operations, the botnet's infrastructure remained largely consistent, only changing hosting providers. The JDY cluster, targeting Cisco routers, showed activity with new control servers using a 'jdyfj' certificate. Three current hosts were identified using this certificate. The contrast between Volt Typhoon's sophisticated targeting and the botnet's simple evasion tactics raises questions about their relationship. The analysis suggests the KV Botnet might be operated by a different entity than Volt Typhoon, highlighting the complexity of attribution in cyber threats.