VYPR
advisoryPublished May 2, 2026· Updated May 17, 2026· 1 source

International Coalition Warns of China-Nexus 'Covert Networks' Using Compromised SOHO and IoT Devices

An international coalition of 13 nations has warned that China-nexus threat actors are increasingly leveraging large-scale, covert networks of compromised SOHO and IoT devices to mask their cyber operations and maintain long-term persistence.

A coalition of international cybersecurity agencies, led by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC-UK), has issued a joint advisory warning of a significant shift in tactics by China-nexus cyber actors. These threat actors are increasingly moving away from individually procured infrastructure in favor of large-scale, covert networks of compromised devices to facilitate their operations CISA.

These covert networks, which function as botnets, primarily consist of compromised Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other smart hardware CISA. By leveraging these compromised assets, attackers can route their malicious traffic through legitimate-looking infrastructure, effectively disguising the true origin of their activities and complicating attribution efforts CISA.

According to the advisory, these networks are being used across the entire cyber kill chain. Threat actors utilize them for reconnaissance and scanning, malware delivery, command-and-control (C2) communications, and the exfiltration of stolen data CISA. Furthermore, these networks provide a low-cost, deniable environment for actors to research new exploitation techniques and conduct general internet browsing without revealing their identity CISA.

The scale of this threat is significant, with evidence suggesting that multiple covert networks are being actively maintained and updated, often shared among different Chinese state-sponsored groups CISA. Notable examples of this activity include the group Volt Typhoon, which has used these networks to pre-position offensive capabilities within critical national infrastructure, and Flax Typhoon, which has employed separate infrastructure for cyber espionage campaigns CISA.

To defend against this evolving threat, the coalition recommends that network defenders prioritize the security of SOHO and IoT devices, which are frequently exploited due to poor security hygiene or unpatched vulnerabilities CISA. Organizations are encouraged to implement robust monitoring to detect anomalous traffic patterns that may indicate the presence of a covert network and to ensure that all edge devices are properly configured and updated CISA.

This advisory highlights a broader trend of state-sponsored actors professionalizing their infrastructure to maintain long-term persistence and deniability. As these covert networks become a standard component of the Chinese cyber-espionage toolkit, defenders must shift their focus toward identifying and neutralizing the underlying infrastructure rather than just individual malicious payloads. The full advisory, which includes contributions from agencies across 13 countries, can be found at CISA's official portal.

Synthesized by Vypr AI