On April 24, 2026, the United Kingdom’s National Cyber Security Centre (NCSC-UK), in coordination with agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, issued a comprehensive security advisory titled Defending Against China-Nexus Covert Networks of Compromised Devices. The advisory warns that Chinese government-linked threat actors have shifted from using individually procured infrastructure to operating massive, dynamic botnets composed of compromised small office/home office (SOHO) routers and Internet of Things (IoT) devices.
The joint report identifies a significant evolution in the tactics, techniques, and procedures (TTPs) of China-nexus actors. These covert networks are being used across all stages of the cyber kill chain, including reconnaissance, malware delivery, command and control (C2), and data exfiltration. By routing traffic through multiple layers of compromised consumer hardware, attackers can mask their origin and blend into legitimate network traffic, rendering traditional static IP blocklists largely ineffective. The agencies noted that these networks are often shared among multiple threat groups and are continuously updated to evade detection.
Specific technical details in the advisory highlight the scale of these operations. One network, identified as Raptor Train, was found to have infected more than 200,000 devices worldwide. This botnet was managed by the Chinese information security firm Integrity Technology Group and has been linked to the threat actor known as Flax Typhoon. The advisory also referenced the KV Botnet, utilized by the group Volt Typhoon, which primarily targeted end-of-life Cisco and Netgear routers. These devices were particularly vulnerable because they no longer received security patches or firmware updates from their manufacturers.
In addition to routers, the compromised infrastructure includes IP cameras, digital video recorders (DVRs), network-attached storage (NAS) servers, and firewalls. The agencies reported that many of these devices were compromised through the exploitation of known vulnerabilities in web management interfaces or the use of weak, default credentials. The advisory emphasizes that these botnets are not only used for espionage but also for pre-positioning capabilities intended to disrupt critical national infrastructure during times of conflict.
To mitigate these risks, the NCSC and its partners recommend that organizations implement multi-factor authentication (MFA) for all remote access and adopt zero-trust security controls. Network defenders are urged to audit their hardware inventory for end-of-life devices and replace them with secure-by-design alternatives. For high-risk entities, the advisory suggests active threat hunting, the analysis of NetFlow data to identify anomalous traffic patterns, and the integration of dynamic threat intelligence feeds to maintain up-to-date defensive perimeters.