NCSC and Allies Warn of China-Nexus Covert Networks Using Compromised Routers and IoT Devices
A joint international advisory details how China-nexus cyber actors are using large-scale covert networks of compromised SOHO routers and IoT devices for reconnaissance, malware delivery, and espionage.
The UK National Cyber Security Centre (NCSC-UK), together with the FBI, CISA, NSA, and cybersecurity agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, has released a joint advisory detailing the strategic use of covert networks of compromised devices by China-nexus cyber actors. The advisory, published on April 23, 2026, warns that these networks—primarily composed of small office/home office (SOHO) routers and Internet of Things (IoT) devices—are being used to obfuscate the origin of malicious activity and enable a wide range of operations, from reconnaissance to data exfiltration.
The advisory highlights a significant shift in tactics, techniques, and procedures (TTPs) among Chinese state-sponsored groups, moving away from individually procured infrastructure toward externally provisioned, large-scale botnets. The NCSC assesses that the majority of China-nexus threat actors now rely on these covert networks, which are constantly updated and may be shared among multiple groups. Notable examples include the Raptor Train network, which infected over 200,000 devices in 2024 and was controlled by the Chinese company Integrity Technology Group, and the KV Botnet used by Volt Typhoon, which primarily exploited end-of-life Cisco and NetGear routers.
These covert networks are used across the entire cyber kill chain. Threat actors employ them for scanning and reconnaissance, delivering malware, communicating with compromised systems, and exfiltrating stolen data. They also provide deniable internet access for researching exploitation techniques and targeting victims without attribution. The advisory notes that some networks are also used by legitimate customers, further complicating attribution efforts.
The scale and dynamic nature of these networks pose a significant challenge to traditional network defense paradigms. As Mandiant Intelligence highlighted in a May 2024 report, the use of multiple, large-scale covert networks leads to what is termed "indicator of compromise (IOC) extinction"—static malicious IP block lists become far less effective when threat actors can route traffic through hundreds of thousands of constantly changing endpoints. The advisory provides detailed protective measures and maps the observed TTPs to the MITRE ATT&CK framework to help defenders detect and mitigate these threats.
Organizations targeted by China-nexus cyber actors, particularly those operating critical national infrastructure, are urged to implement the recommended security best practices. These include maintaining robust patch management for edge devices, segmenting networks to limit lateral movement, deploying endpoint detection and response (EDR) solutions, and monitoring for anomalous traffic patterns that may indicate use of covert network nodes. The advisory also emphasizes the importance of replacing end-of-life devices that no longer receive security updates.
This joint advisory underscores the growing international concern over the strategic use of botnets by state-sponsored actors. By leveraging compromised consumer and small-business devices, these actors achieve a low-cost, low-risk, and highly deniable operational platform that can be sustained over long periods. The collaboration among 14 nations signals a unified effort to share threat intelligence and provide network defenders with the tools needed to counter this evolving threat.