On April 24, 2026, a coalition of global cybersecurity agencies, led by the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), issued a high-priority joint advisory regarding the proliferation of covert networks operated by Chinese state-sponsored actors. The report, titled "Defending Against China-Nexus Covert Networks of Compromised Devices," details a fundamental shift in the tactics, techniques, and procedures (TTPs) used for cyber espionage. Agencies from ten countries—including the FBI, NSA, and partners from Australia, Canada, Germany, Japan, and the Netherlands—warned that these actors are now utilizing massive, externally provisioned botnets to mask offensive operations.
These covert networks are primarily built from compromised Small Office and Home Office (SOHO) routers and Internet of Things (IoT) devices, such as smart cameras, DVRs, and Network Attached Storage (NAS) systems. The advisory notes that routers have become the highest-risk IT devices in 2026, with industry research indicating an average of 32 security flaws per device. By hijacking these unmonitored edge devices, attackers can route malicious traffic through legitimate consumer IP addresses, effectively blending their activities into normal internet traffic and bypassing traditional static defense mechanisms.
A prominent example cited in the advisory is the "Raptor Train" botnet, which has infected more than 200,000 devices globally since its discovery. Managed by the Chinese-based Integrity Technology Group, this network has been linked to the threat actor Flax Typhoon. The agencies also highlighted the "KV Botnet," operated by the group Volt Typhoon, which specifically targeted vulnerable hardware from manufacturers including Cisco and Netgear. These networks are used across the entire "Cyber Kill Chain," from initial reconnaissance and malware delivery to persistent command-and-control and large-scale data exfiltration.
Technical experts warned of "IOC extinction," a phenomenon where indicators of compromise disappear almost as soon as they are identified due to the rapid re-shaping of these botnets. Nick Andersen, Acting Director of CISA, stated that this "dynamic, low-cost, deniable infrastructure model" renders traditional IP blocklists ineffective. Paul Chichester, NCSC Director of Operations, emphasized that the shift is a strategic move to avoid attribution and maintain long-term access to critical infrastructure targets.
To counter these evolving threats, the advisory provides specific mitigation strategies for organizations. These include mapping all internet-facing assets, baselining normal traffic patterns for VPN and remote access services, and implementing multifactor authentication (MFA). The agencies also recommend the use of dynamic threat intelligence feeds and zero-trust controls to identify and block connections from compromised SOHO or IoT infrastructure in real time.