Skip to content
.ca
sign in
4 minhigh

Defending Against China-Nexus Covert Networks of Compromised Devices

China-nexus threat actors are increasingly utilizing large-scale covert networks of compromised SOHO routers and IoT devices to obfuscate their operations and route malicious traffic. This strategic shift renders traditional static IOC blocklists ineffective, requiring defenders to adopt behavioral profiling, zero trust principles, and active network hunting to detect multi-hop proxy traffic.

Conf:highAnalyzed:2026-04-23reports

Authors: NCSC-UK, CISA, FBI, NSA, ASD, Cyber Centre (Canada)

ActorsVolt TyphoonFlax TyphoonRaptor TrainKV BotnetIntegrity Technology Group
China-nexusSOHO RoutersVolt TyphoonBotnetFlax Typhoon

Source:CISA

Key Takeaways

  • China-nexus actors are shifting from individually procured infrastructure to large-scale covert networks (botnets) of compromised SOHO and IoT devices.
  • Prominent threat groups like Volt Typhoon (KV Botnet) and Flax Typhoon (Raptor Train) use these networks for pre-positioning, espionage, and deniable operations.
  • The dynamic nature of these botnets leads to 'IOC Extinction,' making traditional static IP blocklists highly ineffective.
  • Covert networks typically consist of an entry node (on-ramp), multiple traversal nodes, and an exit node geographically co-located with the target.
  • Defenders must pivot to behavioral profiling, geographic allow-listing, zero trust architecture, and active NetFlow hunting to detect malicious traffic.

Affected Systems

  • Small Office Home Office (SOHO) routers
  • Internet of Things (IoT) devices
  • Firewalls
  • Network Attached Storage (NAS) devices
  • End-of-life (EOL) Cisco and NetGear routers

Vulnerabilities (CVEs)

  • Unspecified vulnerabilities in end-of-life (EOL) and unpatched edge devices

Attack Chain

Threat actors acquire virtual private servers to act as on-ramps (entry nodes) into a covert network. Traffic is then routed through multiple compromised SOHO/IoT devices acting as traversal nodes. Finally, the traffic exits the network via an exit node, typically located in the same geographic region as the target, allowing the actors to conduct reconnaissance, deliver malware, or exfiltrate data while disguising their true origin.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided; the advisory focuses on strategic detection methodologies such as NetFlow analysis, behavioral baselining, and geographic profiling.

Detection Engineering Assessment

EDR Visibility: Low — The malicious activity primarily occurs on network edge devices (SOHO routers, IoT) where EDR cannot be installed, and incoming traffic appears to originate from legitimate domestic IP spaces. Network Visibility: High — Detection relies heavily on network telemetry, specifically NetFlow, VPN connection logs, and geographic profiling of incoming connections. Detection Difficulty: Hard — Traffic originates from compromised consumer broadband ranges, blending in with legitimate remote worker traffic and rendering static IP blocklists obsolete due to rapid node turnover.

Required Log Sources

  • VPN connection logs
  • NetFlow/IPFIX
  • Firewall logs
  • Authentication logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Anomalous VPN logins originating from unexpected consumer broadband IP ranges or unusual geographic locations may indicate covert network exit nodes.VPN and Authentication logsInitial AccessHigh
Inbound connections to network edge devices from known compromised IoT/SOHO device fingerprints indicate potential reconnaissance or exploitation attempts.Firewall and Web Proxy logsReconnaissanceMedium

Control Gaps

  • Reliance on static IP deny lists
  • Lack of MFA on remote access portals
  • Permissive VPN access policies without geographic or device profiling

Key Behavioral Indicators

  • Connections from consumer broadband ranges to corporate VPNs
  • Geographic anomalies in authentication attempts
  • Unexpected SSL machine certificate failures

False Positive Assessment

  • High - Hunting for connections from consumer broadband IPs will likely flag legitimate remote workers unless carefully correlated with other behavioral or geographic anomalies.

Recommendations

Immediate Mitigation

  • Implement multifactor authentication (MFA) for all remote connections.
  • Map and baseline all network edge devices and expected incoming connections.

Infrastructure Hardening

  • Apply IP address allow lists rather than deny lists for VPNs.
  • Enforce machine certificates for SSL connections.
  • Reduce the internet-facing presence of the IT estate.
  • Replace end-of-life (EOL) SOHO routers and IoT devices that no longer receive security patches.

User Protection

  • Implement zero trust policies for remote connections.

Security Awareness

  • Educate security operations teams on 'IOC Extinction' and the necessary shift from static blocklists to behavioral anomaly detection.

MITRE ATT&CK Mapping

  • T1584.005 - Compromise Infrastructure: Botnet
  • T1584.008 - Compromise Infrastructure: Network Devices
  • T1583.003 - Acquire Infrastructure: Virtual Private Server
  • T1090.003 - Proxy: Multi-hop Proxy

Related