Skip to content
.ca
sign in
4 minhigh

Defending against China-nexus covert networks of compromised devices

China-nexus cyber actors have strategically shifted to utilizing large-scale covert networks of compromised SOHO and IoT devices to obfuscate their operations. These dynamic botnets, such as Raptor Train and KV Botnet, facilitate deniable access and complicate traditional static IOC-based defense, requiring organizations to adopt behavioral baselining and dynamic threat intelligence.

Conf:highAnalyzed:2026-04-23reports

Authors: NCSC-UK, CISA, FBI, NSA, International Partners

ActorsVolt TyphoonFlax TyphoonRaptor TrainKV BotnetIntegrity Technology Group
China-nexusSOHO RoutersVolt TyphoonBotnetFlax Typhoon

Source:NCSC

Key Takeaways

  • China-nexus actors are shifting from individually procured infrastructure to large-scale covert networks (botnets) of compromised devices.
  • These networks primarily consist of end-of-life SOHO routers, IoT devices, firewalls, and NAS devices.
  • Threat actors use these networks for all phases of the kill chain, including reconnaissance, C2, and exfiltration, to disguise attribution.
  • Defenders face 'IOC Extinction' as malicious traffic blends with legitimate traffic across hundreds of thousands of dynamic nodes.
  • Organizations should baseline edge device traffic, implement strict access controls like IP allowlisting, and utilize dynamic threat feeds.

Affected Systems

  • SOHO routers
  • IoT devices
  • Firewalls
  • Network Attached Storage (NAS)
  • Cisco routers
  • NetGear routers
  • End-of-life devices

Vulnerabilities (CVEs)

  • Unpatched vulnerabilities in end-of-life devices

Attack Chain

Threat actors acquire virtual private servers to act as entry nodes (on-ramps) into the covert network. Traffic is then routed through multiple traversal nodes consisting of compromised SOHO routers and IoT devices. Finally, the traffic exits the network via an exit node geographically co-located with the target to blend in with expected regional traffic, allowing the actor to conduct reconnaissance, deliver malware, or exfiltrate data deniably.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article; the focus is on architectural and behavioral defense strategies.

Detection Engineering Assessment

EDR Visibility: Low — EDR is typically not deployable on SOHO routers, IoT devices, or NAS appliances that make up the traversal nodes of these botnets. Network Visibility: High — Detection relies heavily on monitoring network traffic at the edge, baselining VPN connections, and identifying anomalous inbound connections from consumer broadband ranges. Detection Difficulty: Hard — The dynamic nature of the botnets and the use of exit nodes geographically close to the target causes 'IOC Extinction' and makes malicious traffic blend in with legitimate consumer traffic.

Required Log Sources

  • VPN access logs
  • Firewall connection logs
  • NetFlow/IPFIX
  • Authentication logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Anomalous inbound VPN or remote access connections originating from consumer broadband IP ranges or known compromised SOHO device types.VPN and Firewall logsInitial AccessHigh
Unexpected geographic shifts in authentication attempts or traffic patterns that do not align with normal business operations.Authentication logsInitial AccessMedium

Control Gaps

  • Lack of visibility into unmanaged edge devices
  • Reliance on static IP blocklists
  • End-of-life hardware lacking security patches

Key Behavioral Indicators

  • Connections from consumer broadband ranges to corporate VPNs
  • Traffic from known IoT/SOHO device default ports/banners
  • Anomalous geographic login locations

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Map and understand network edge devices.
  • Baseline normal connections to corporate VPNs.
  • Implement multi-factor authentication (MFA) for remote connections.

Infrastructure Hardening

  • Apply IP address allow lists rather than deny lists for VPN connections.
  • Enforce machine certificates for SSL connections.
  • Implement zero trust policies for connections.
  • Reduce the internet-facing presence of the IT estate.
  • Replace end-of-life SOHO routers and IoT devices.

User Protection

  • Ensure remote workers are connecting via secure, updated, and managed routers where possible.

Security Awareness

  • Track China-nexus covert networks as APTs in their own right.
  • Leverage dynamic threat feeds instead of relying solely on static IOCs.

MITRE ATT&CK Mapping

  • T1584.005 - Compromise Infrastructure: Botnet
  • T1584.008 - Compromise Infrastructure: Network Devices
  • T1583.003 - Acquire Infrastructure: Virtual Private Server
  • T1090.003 - Proxy: Multi-hop Proxy

Related