On April 23, 2026, the United Kingdom’s National Cyber Security Centre (NCSC), in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and 13 other international partners, issued a high-priority technical advisory (AA26-113A) regarding a significant escalation in Chinese state-sponsored cyber operations. Speaking at the CyberUK 2026 conference in Glasgow, NCSC Chief Executive Richard Horne described the threat as having an eye-watering level of sophistication, warning that Chinese intelligence agencies have transitioned to using large-scale covert networks of compromised everyday devices to target British firms.
The advisory details a widespread tactical shift by China-nexus actors, including groups identified as Volt Typhoon and Flax Typhoon. These actors are increasingly moving away from individually procured infrastructure toward covert networks or botnets composed of Small Office Home Office (SOHO) routers, internet-protocol (IP) cameras, and Network Attached Storage (NAS) units. One such network, designated Raptor Train, was found to have infected more than 200,000 devices worldwide and was linked to the Chinese firm Integrity Technology Group. By routing malicious traffic through these residential and small-business devices, attackers can bypass traditional geographic security filters and blend in with legitimate local internet traffic, a technique officials say leads to indicator of compromise extinction.
Technical data released alongside the advisory highlights the vulnerability of consumer-grade hardware. A 2026 report from Forescout cited in the briefing indicates that routers have become the highest-risk IT category, containing an average of 32 security flaws per device—more than double the average for standard computers. The NCSC noted that the majority of compromised devices are end-of-life (EOL) models from manufacturers such as Cisco and Netgear that no longer receive security patches. Since the beginning of 2026, over 45,000 devices within the United Kingdom have been identified as active nodes in these state-linked botnets.
Paul Chichester, NCSC Director of Operations, stated that these networks are being used to maintain persistent access to critical national infrastructure and to exfiltrate sensitive intellectual property from the aerospace, telecommunications, and energy sectors. The NCSC currently handles an average of four nationally significant cyber incidents per week, with a growing proportion attributed to state-backed actors rather than criminal syndicates. The advisory notes that these covert networks are constantly updated, allowing multiple state actors to share the same compromised infrastructure.
To counter these threats, the joint advisory recommends that organizations implement zero trust controls and mandatory multi-factor authentication (MFA) for all remote access points. Firms are also urged to replace all EOL networking hardware and disable Universal Plug and Play (UPnP) features. For high-risk entities, the NCSC advises active hunting for suspicious SOHO traffic and the use of machine learning-based anomaly detection to identify traffic patterns that deviate from established baselines. The report emphasizes that blocking static lists of malicious IP addresses is no longer an effective primary defense against these evolving botnets.