Threat IntelligenceEmerging Threats

UK Warns of Chinese Hackers' Proxy Network Tactics to Evade Detection

Analyst 207||Source: BleepingComputer
Interconnected devices in a dimly lit server room with daylight visible through tall windows.

"The NCSC believes that the majority of China-nexus threat actors are using these networks [...], that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors," the joint advisory reads.

NCSC-UK and nine international partners issue a coordinated warning

The United Kingdom's National Cyber Security Centre (NCSC-UK), joined by agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, published a joint advisory describing a marked shift in how China-nexus hacking groups operate. The advisory states that most of these actors have moved away from individually procured infrastructure toward "vast botnets of compromised devices" — a change in tradecraft that the signatories regard as deliberate and widespread.

Proxy-style botnets built from SOHO routers and IoT devices

The advisory identifies Small Office/Home Office (SOHO) routers, internet-connected cameras, video recorders, and network-attached storage (NAS) equipment as the primary components of these covert networks. Those compromised devices are chained so that traffic can enter a victim network at one point, traverse multiple intermediate, compromised nodes, and exit close to an intended target — a routing pattern that obscures geographic origin and frustrates attribution based on IP address alone.

Raptor Train and KV‑Botnet: two large-scale examples

The advisory cites two named networks. Raptor Train, described as a "massive Chinese botnet," infected more than 260,000 devices worldwide in 2024 and was linked by the FBI to malicious activity attributed to the Chinese state-sponsored Flax Typhoon hacking group and the Chinese company Integrity Technology Group, which was sanctioned in January 2025. The FBI disrupted Raptor Train in September 2024 with assistance from researchers at Black Lotus Labs after tracing campaigns that targeted military, government, higher education, telecommunications, defense industrial base, and IT sectors, primarily in the U.S. and Taiwan.

KV‑Botnet is identified as a separate covert network used by the China state-backed Volt Typhoon group. It consisted mainly of vulnerable Cisco and Netgear routers that were out of date and no longer received security patches. The FBI wiped malware from infected routers in January 2024 to disrupt KV‑Botnet; Volt Typhoon attempted to revive the network in February 2024 and began a slower effort to revive it again in November 2024.

Operational implications: static IP blocks are losing effectiveness

Western intelligence agencies that co‑signed the advisory warn that traditional defenses — chiefly blocking lists of static malicious IP addresses — are becoming less effective as covert networks continually add new compromised nodes. The advisory recommends a set of concrete mitigations for defenders: implement multifactor authentication, map network edge devices, use dynamic threat feeds that include known covert network indicators, and, where feasible, apply IP allowlists, zero‑trust controls, and machine certificate verification.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Expect lateral traffic to appear to originate from legitimate consumer devices rather than dedicated attacker infrastructure; the advisory's recommended tools — dynamic threat intelligence, device-mapping, and machine certificate checks — are presented as the practical countermeasures.
  • Policymakers and regulators: The joint, multinational nature of the advisory signals coordinated concern about exploitation of unpatched SOHO and IoT devices, and it highlights past actions (FBI disruptions) that required cross‑sector operational work across law enforcement and private researchers.
  • Affected enterprises and procurement leaders: The advisory identifies targeted sectors in previous campaigns — military, government, higher education, telecommunications, defense industrial base, and IT — and underscores the limits of perimeter defenses; procurement and asset‑management decisions for edge devices are implicitly central to reducing attack surface.

Conclusion: an operational shift demands a defensive one

The advisory frames a clear operational shift: China-nexus actors are increasingly concealing activity inside chains of compromised consumer devices rather than relying on fixed, attacker-controlled servers. That shift both complicates attribution and reduces the usefulness of static blocklists. The advisory points defenders to specific mitigations — multifactor authentication, device mapping, dynamic threat feeds, IP allowlists, zero‑trust controls, and machine certificate verification — and it documents real‑world interventions (Raptor Train and KV‑Botnet disruptions) in which law enforcement and researchers intervened. The record in the advisory underscores two facts: the threat model has changed, and the recommended defensive posture must change with it.

Original story: https://www.bleepingcomputer.com/news/security/uk-warns-of-chinese-hackers-using-botnets-of-hijacked-consumer-devices-to-evade-detection/

BotnetsEmerging ThreatsGeopoliticsNation-StateNational SecurityUkProxy NetworkChina-NexusNCSC-UK
Related Intelligence

Continue Reading

Dimly lit home network setup with outdated routers, tangled cables, and old equipment.

AryStinger Botnet Exploits Flaws in Thousands of D-Link Routers

Meet AryStinger, a sneaky botnet that's hijacked over 4,000 outdated D-Link routers worldwide, turning them into a powerful tool for hackers to carry out stealthy scans and attacks. This malware mastermind breaks down massive tasks into tiny chunks, distributing them across its zombie network for lightning-fast execution.

Analyst 207
Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207