International cyber agencies are sounding the alarm that China-nexus hackers have quietly pivoted to a new playbook, turning ordinary home routers and smart gadgets into covert infrastructure for espionage and potential strikes on critical systems. The joint advisory says these dynamic, multi-hop networks of hijacked consumer gear essentially function as botnets, funneling malicious traffic through thousands of unsuspecting households and small offices and making it far tougher to trace or shut down attacks. Security teams are being pressed to rethink how they map, monitor and lock down the network edge.
What the advisory says
The guidance, released April 23 by Britain’s National Cyber Security Centre and more than a dozen international partners, explains that these covert networks are built mostly from compromised SOHO routers, firewalls and IoT devices and can be repurposed for reconnaissance, malware delivery, command-and-control and data exfiltration, according to the NCSC. The FBI’s Sacramento field office helped boost visibility by retweeting the FBI Cyber Division’s post that linked to the advisory as shared on X.
“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks,” NCSC Director of Operations Paul Chichester wrote in the advisory, according to the NCSC. The document includes tailored, step-by-step guidance to help organisations of all sizes cut their exposure to these covert networks.
Known groups and recent takedowns
The advisory cites earlier activity such as the Raptor Train botnet, which infected more than 200,000 devices across the globe and was tied to Integrity Technology Group and the suspected threat activity known as Flax Typhoon. In 2024, the Justice Department described a court-authorized operation that disrupted Raptor Train, removed the malware and notified affected U.S. device owners, according to the Justice Department.
What network defenders should do
To blunt these tactics, the advisory urges network defenders to map and baseline edge devices and remote-access traffic, roll out multi-factor authentication and machine certificates, and rely on IP or geographic allow-lists instead of static deny lists. U.S. partners, including the NSA, highlighted the publication and encouraged organisations to embrace zero-trust principles and use dynamic threat-feed filtering to spot covert-network activity, according to the NSA.
Reporting and local context
For Bay Area IT teams and small businesses, the message hits close to home: that cheap, consumer-grade perimeter box in the back room might be part of someone else’s campaign and needs to be properly inventoried, patched and hardened. Local readers may recall that federal prosecutors previously dismantled Raptor Train and detailed how botnets like it can be used as a springboard into enterprise environments, per the Raptor Train takedown. U.S. organisations that suspect they have been swept up in similar activity are urged to report incidents to the FBI’s Internet Crime Complaint Center; IC3’s portal is available at ic3.gov.
