On April 24, 2026, a coalition of international cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), issued a comprehensive joint advisory regarding a persistent threat from Chinese state-sponsored actors. The advisory details the maintenance of a sprawling network of compromised Small Office/Home Office (SOHO) routers and Internet of Things (IoT) devices, which are being utilized as a covert infrastructure for espionage and potential disruptive operations against critical infrastructure.
The technical report identifies the threat actor as a successor to the Volt Typhoon group. According to the agencies, the group has successfully compromised over 315,000 devices globally as of April 2026. The affected hardware primarily includes older, end-of-life models from manufacturers such as Cisco, Netgear, ASUS, and TP-Link, which often lack modern security patches. Specifically, the advisory highlights the exploitation of vulnerabilities in firmware versions released between 2022 and 2025, including a critical remote code execution vulnerability, tracked as CVE-2026-1482, which affects several popular consumer router models.
The covert network, referred to in the advisory as Project Hidden Reach, functions by installing custom malware that turns consumer-grade hardware into a series of obfuscated proxy nodes. This allows the actors to route malicious traffic through legitimate residential IP addresses, making it difficult for traditional perimeter defenses to distinguish between normal user activity and state-sponsored data exfiltration. The report notes that the actors employ living off the land (LotL) techniques, using built-in network administration tools and legitimate binary files to conduct reconnaissance and move laterally within targeted networks without triggering signature-based antivirus alerts.
FBI Director Christopher Wray stated that the scale of the operation represents a significant shift in Chinese cyber strategy, moving from traditional data theft toward pre-positioning for potential physical disruption during geopolitical crises. The advisory notes that the primary targets include energy grids, water treatment facilities, and transportation hubs in North America, Europe, and the Indo-Pacific region. Technical analysis shows that the malware resides in the volatile memory of the devices, meaning it can persist through soft reboots, though a full factory reset and firmware update are recommended for remediation.
The agencies have urged manufacturers to implement secure by design principles, specifically calling for the elimination of default passwords and the implementation of automatic security updates for all SOHO devices. Organizations are advised to monitor for unusual outbound traffic on ports typically used by VPNs and remote management interfaces. The April 24 report concludes that the infrastructure remains active and that the threat actors are continuously scanning for new vulnerabilities to expand their reach.