Key Takeaways
- Chinese‑linked threat actors are operating large‑scale, constantly evolving covert networks built from compromised small‑office/home‑office (SOHO) routers, IoT devices, and other edge equipment.
- These networks support every phase of the cyber kill chain—from reconnaissance and malware delivery to command‑and‑control and data exfiltration—providing a cheap, deniable infrastructure that can be rapidly reshaped.
- Multiple actor groups can share the same network simultaneously, and static IP blocklists are ineffective because the underlying endpoints continuously change.
- Real‑world examples such as the Raptor Train botnet (managed by Integrity Technology Group) and the KV Botnet used by Volt Typhoon illustrate how specific Chinese companies and vulnerable end‑of‑life devices are exploited.
- Effective defense requires a combination of basic cyber hygiene, dynamic threat intelligence, network‑edge visibility, multifactor authentication, and, for high‑risk organisations, advanced measures like zero‑trust architectures, active threat hunting, and machine‑learning‑based anomaly detection.
- International collaboration among the UK’s NCSC, CISA, FBI, NSA, and agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden underpins the advisory and provides shared guidance and indicators of compromise.
Overview of the Advisory
The National Cyber Security Centre (NCSC‑UK), together with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and a broad coalition of international partners, issued an advisory titled Defending Against China‑Nexus Covert Networks of Compromised Devices. The document warns that Chinese government‑linked hackers are no longer relying on individually purchased infrastructure; instead, they maintain vast, fluid botnets composed of hijacked SOHO routers, IoT gadgets, and similar edge devices. These covert networks are already in active use, continuously refreshed, and often shared among multiple threat groups, making traditional static defenses inadequate.
Composition of Covert Networks
At the core of these networks lie inexpensive, widely deployed devices that are frequently left unpatched or running outdated firmware. SOHO routers from vendors such as Cisco and NetGear, smart cameras, home assistants, and other edge equipment become entry points once compromised. Because many of these devices reach “end of life” and no longer receive security updates, they remain vulnerable to known exploits that attackers can automate at scale. The advisory emphasizes that the sheer volume and heterogeneity of these devices allow threat actors to build resilient, deniable infrastructures that blend with legitimate traffic.
Operational Use Across the Cyber Kill Chain
The advisory notes that the covert networks support each stage of an attack. During reconnaissance, actors scan the compromised devices to identify promising targets and gather intelligence. For malware delivery, the networks act as jump hosts, allowing payloads to be launched from seemingly benign residential IP addresses. Command‑and‑control (C2) channels are routed through the same devices, obscuring the true origin of malicious traffic. Finally, data exfiltration leverages the distributed nature of the network to slip large volumes of stolen information out under the guise of normal consumer traffic, complicating detection and attribution.
International Collaboration and Contributors
The guidance reflects a multinational effort. Besides NCSC‑UK and CISA, contributors include the Australian Signals Directorate’s Australian Cyber Security Centre, Canada’s Communications Security Establishment and its Canadian Centre for Cyber Security, Germany’s Federal Office for the Protection of the Constitution, Federal Intelligence Service, and Federal Office for Information Security. Additional partners span Japan’s National Cybersecurity Office, the Netherlands’ General Intelligence and Security Service and Defence Intelligence and Security Service, New Zealand’s National Cyber Security Centre, Spain’s National Cryptologic Centre, and Sweden’s National Cyber Security Centre. U.S. representation also involved the Department of Defense Cyber Crime Center, the FBI, and the NSA.
Illustrative Case Studies
The advisory cites concrete examples to illustrate the threat. The Raptor Train botnet, which infected over 200,000 devices worldwide in 2024, was controlled and managed by the Chinese firm Integrity Technology Group—a entity the FBI linked to the Flax Typhoon hacking group. Another case, the KV Botnet used by Volt Typhoon, consisted primarily of vulnerable Cisco and NetGear routers that had reached end‑of‑life status, leaving them without patches. These cases demonstrate how commercial Chinese information‑security firms and outdated hardware can be woven into state‑sponsored cyber operations.
Challenges for Defenders
Defenders face several obstacles. Because the networks constantly refresh—adding newly compromised devices while removing patched or taken‑offline ones—static IP blocklists quickly become obsolete. The sharing of networks among multiple actor groups further muddies attribution, as legitimate user traffic overlaps with malicious routes. Moreover, the low cost and deniability of this model enable threat actors to adapt rapidly to defensive measures, requiring defenders to adopt equally dynamic and responsive strategies.
Baseline Mitigation Steps
The advisory stresses that solid cyber hygiene remains the foundation. Organizations should first map their network edge, inventory all devices that legitimately connect, and establish a baseline of normal activity—especially for services like corporate VPNs—so anomalous connections from consumer broadband ranges can be spotted. Collecting and retaining logs aids in detecting unauthorized access attempts, while implementing multifactor authentication (MFA) on all remote connections significantly reduces the risk of credential‑based compromise. Leveraging dynamic threat intelligence feeds that track emerging covert‑network infrastructure helps organizations stay ahead of evolving threats.
Advanced Defensive Measures
For larger or higher‑risk entities, the guidance recommends tightening access controls through IP address allow‑lists rather than deny‑lists for VPNs, applying geographic filtering, and profiling incoming connections by operating system, time zone, and organization‑specific configurations. Adopting a zero‑trust architecture—where no device or user is trusted by default—adds another layer of protection. Enforcing machine certificates for SSL/TLS connections strengthens authentication, and reducing the internet‑facing footprint of IT systems limits exposure. Machine‑learning techniques can model normal edge‑device behavior and flag deviations, while the NCSC’s Cyber Essentials framework offers a baseline suitable for organisations of all sizes.
Special Guidance for Critical‑Sector Organisations
Organisations delivering essential services—such as energy, healthcare, transport, digital infrastructure, and government—are urged to treat China‑linked covert networks as advanced persistent threats (APTs) in their own right. This involves dedicated tracking and analysis, active threat hunting focused on IP addresses associated with compromised SOHO routers or IoT devices, and mapping identified networks using indicators like service banners and digital certificates. Threat‑intelligence feeds can be used to generate dynamic blocklists and real‑time alerts. NetFlow data offers upstream visibility, helping to uncover new nodes within the covert infrastructure. The NCSC Cyber Assessment Framework provides more comprehensive guidance for those operating under the highest risk levels.
Conclusion
The joint advisory makes clear that Chinese‑nexo threat actors have shifted to a scalable, low‑cost model of covert networks built from compromised edge devices. Because these infrastructures are fluid, shared, and able to support every phase of an attack, traditional static defenses are insufficient. Effective protection hinges on maintaining thorough network‑edge visibility, employing dynamic intelligence, enforcing strong authentication, and, for high‑risk environments, embracing advanced tactics such as zero‑trust, threat hunting, and machine‑learning‑driven anomaly detection. By following the layered recommendations outlined by NCSC‑UK, CISA, and their international partners, organisations can substantially reduce their exposure to this persistent and evolving menace.

