The **United Kingdom's National Cyber Security Centre (NCSC-UK)** and international partners have issued a stark warning: Chinese state-sponsored hackers are increasingly using vast networks of compromised consumer devices to evade detection and disguise their malicious activity. This joint advisory, co-signed by agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, highlights a significant shift in tactics. The majority of Chinese hacking groups have moved away from individually procured infrastructure towards expansive botnets of compromised devices, primarily targeting small office and home office (SOHO) routers, internet-connected cameras, video recorders, and network-attached storage (NAS) equipment. ### Botnet Functionality These massive botnets enable attackers to route traffic through chains of compromised devices. The traffic enters the network at one point, passes through multiple intermediate nodes, and exits near the intended target, effectively obscuring the attacker's true location and avoiding geographic detection. "The NCSC believes that the majority of China-nexus threat actors are using these networks [..], that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors," the [joint advisory reads](https://www.ncsc.gov.uk/news/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices). "These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices." <div> <figure> <figcaption><em>Covert network basic setup (NCSC-UK)</em></figcaption> </figure> </div> ### Notable Botnet Examples One such massive Chinese botnet, known as **Raptor Train**, infected more than 260,000 devices worldwide in 2024. The **FBI** linked **Raptor Train** to malicious activity attributed to the Chinese state-sponsored **Flax Typhoon** hacking group and Chinese company **Integrity Technology Group** (sanctioned in January 2025). The **FBI** disrupted **Raptor Train** in September 2024 with help from researchers at **Black Lotus Labs** after linking it to campaigns targeting entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, primarily in the U.S. and Taiwan. A separate network (**KV-Botnet**) was used by the Chinese state-backed **Volt Typhoon** threat group and consisted primarily of vulnerable **Cisco** and **Netgear** routers that were out of date and no longer received security patches. The **FBI** also disrupted **KV-Botnet** by wiping malware from infected routers in January 2024, but **Volt Typhoon** slowly started reviving it in November 2024 after an initial failed attempt in February. ### Implications and Mitigation "Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks," said Paul Chichester, **NCSC-UK's** Director of Operations. Western intelligence agencies that signed the advisory warned that traditional defenses based on blocking static lists of malicious IP addresses are becoming less effective as these botnets continuously add new compromised nodes. Instead, network defenders at small, medium, and large organizations are advised to implement multifactor authentication, map network edge devices, leverage dynamic threat feeds that include known covert network indicators, and, where possible, apply IP allowlists, zero-trust controls, and machine certificate verification.