A Chinese state-sponsored advanced persistent threat (APT) group, identified as Volt Typhoon, has compromised end-of-life (EoL) routers to create a covert network for launching cyberattacks. The operation involved hijacking legitimate software update processes to deliver malware to targeted organizations.

The threat actor specifically targeted small office/home office (SOHO) routers from manufacturers including Cisco, NetGear, and Asus that were no longer receiving security patches. These compromised devices were then incorporated into a botnet network called KV-botnet, which served as a command-and-control (C2) infrastructure.

Hijacking Updates via Compromised Infrastructure

Researchers at BlackLotus Labs discovered that Volt Typhoon used the KV-botnet to intercept network traffic from its targets. The attackers monitored for specific DNS requests associated with the update check of a security camera management software suite. When a targeted system attempted to check for a software update, a compromised router within the botnet would intercept the request. Instead of allowing the request to reach the legitimate update server, the router would respond by delivering a malicious payload disguised as a software update.

Gh0st RAT Payload and Attribution

The malicious payload delivered through this update-hijacking mechanism was a variant of the well-known Gh0st Remote Access Trojan (RAT). The goal of deploying the Gh0st RAT was to establish initial access into the victim’s network, enabling further malicious activities such as data exfiltration. At least one US-based company was confirmed to have been targeted by this campaign. BlackLotus Labs attributed the activity to Volt Typhoon based on the tactics, techniques, procedures (TTPs), and infrastructure that overlapped with previous campaigns from the state-sponsored group.