US government disrupts Chinese botnet containing hundreds of end-of-life Cisco and Netgear routers

The US government has succeeded in disrupting a botnet created by known Chinese threat actor Volt Typhoon that had paved the way for cyber attacks on critical national infrastructure (CNI) organisations across America and other countries.

A security alert published by the US Office of Public Affairs confirmed Volt Typhoon, a hacking group sponsored by the People’s Republic of China (PRC), had hijacked hundreds of Cisco and Netgear-branded small-office/home office routers across the US to create the botnet.

The routers were infected with the KV Botnet malware, which the alert stated, enabled the PRC to conceal itself as the source of follow-on hacks against CNI organisations operated in the US and in overseas countries.

In May 2025, the UK National Cyber Security Centre (NCSC) was among several international intelligence agencies that issued guidance, warning CNI operators to take preventative action to stop the Volt Typhoon hackers from accessing and hiding on their systems.

“The vast majority of routers that comprised the KV Botnet were Cisco and Netgear routers that were vulnerable because they had reached ‘end of life’ status… [and] were no longer supported through their manufacturer’s security patches or other software updates,” the US government security alert stated.

The takedown is the result of a US court-authorised operation to delete the malware from the affected routers, which was green lit in December 2023. The court’s intervention also resulted in additional steps being taken to block other devices from communicating with the botnet too.

“Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors,” said FBI director, Christopher Wray.

“Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”

Attorney general Merrick Garland said the action is a show of the Justice Department’s commitment to taking a proactive approach to protecting the nation’s CNI.

“The United States will continue to dismantle malicious cyber operations, including those sponsored by foreign governments – that undermine the security of the American people,” Garland continued.

Deputy attorney general Lisa Monaco said its decision to wipe the botnet from hundreds of routers nationwide was evidence of how the Department of Justice is “using all its tools to disrupt national security threats in real-time”.

She added: “[It] also highlights our critical partnership with the private sector – victim reporting is key to fighting cyber crime, from home offices to our most critical infrastructure.”

Sandra Joyce, vice-president of intelligence at Google-owned cyber threat intelligence company Mandiant, said Volt Typhoon’s methods mean its activity can be very difficult to detect

“They are making use of compromised systems to blend in with normal network activity and constantly change the source of their activity,” said Joyce. “They are even withholding the use of malware that may trip alarms and give us something to solid to scan for. Activity like this is extremely challenging to track, but not impossible.”