Defending Against China-Nexus Covert Networks of Compromised Devices (NCSC Guide)

Over the past few years, China-nexus cyber actors have made a quiet but consequential shift: instead of relying mainly on bespoke infrastructure they own or lease, they are increasingly routing operations through vast networks of compromised devices spread across the internet. The new NCSC-led advisory argues that this is now a strategic, large-scale tradecraft choice, not just an opportunistic side effect of botnet abuse. For defenders, that matters because the old playbook of static IP blocklists and one-and-done takedowns is no longer enough.

Overview​

The timing of the advisory is telling. On 23 April 2026, the UK’s National Cyber Security Centre published guidance alongside a long list of international partners, including the CISA, FBI, NSA, ASD’s ACSC, CSE’s Cyber Centre, Germany’s BfV, BND and BSI, Japan’s NCO, the Dutch AIVD and MIVD, New Zealand’s NCSC-NZ, Spain’s CCN, and Sweden’s NCSC-SE. That coalition signals that the problem is no longer being treated as a narrow intelligence issue, but as a shared operational challenge for defenders in government, critical infrastructure, and the private sector.
The advisory’s central claim is straightforward but important: most China-nexus threat actors are now believed to be using covert networks, and those networks are not just single-purpose botnets. They are dynamic, constantly changing collections of compromised SOHO routers, IoT devices, smart devices, firewalls, and NAS systems that can be shared, repurposed, and re-used by multiple actors. That makes attribution harder, disruption more complicated, and defensive baselining far more necessary.
This is not the first time governments have warned about Chinese-linked use of compromised infrastructure. In September 2024, the FBI, CNMF, and NSA described a PRC-linked botnet managed by Integrity Technology Group that had grown to more than 260,000 devices by June 2024 and was used for proxying malicious traffic, DDoS activity, and broader compromise operations. The 2026 advisory builds on that foundation, but it goes further by framing covert networks as a general operating pattern rather than an isolated campaign.
The practical significance is that defenders are being asked to shift their mental model. Instead of assuming an adversary is hiding behind one VPS, one VPN, or one known relay, they must now assume traffic may be emerging from a living ecosystem of consumer-grade infrastructure that mutates continuously. That is a hard problem for detection teams, especially where logs are thin, edge devices are aging, and third-party access paths are sprawling.

---

What the Advisory Says​

The NCSC says covert networks are being used to hide origin, support reconnaissance, deliver malware, maintain command-and-control, and exfiltrate stolen data. It also notes that these networks can support general deniable browsing, which gives operators room to research victims, test infrastructure, and develop new tactics without linking activity back to a single fixed source. That is a significant expansion of purpose: the infrastructure is not just a delivery mechanism, but an operational cover layer.

A shift from owned infrastructure to borrowed infrastructure​

One of the advisory’s most consequential observations is that China-nexus actors appear to have moved away from infrastructure they directly procure toward externally provisioned, mass-compromised devices. In plain English, they are increasingly using other people’s routers and smart devices as disposable relay points. That reduces cost, increases deniability, and makes disruption more difficult because many of the nodes are outside the direct control of any single operator.
The advisory’s description of IOC extinction is especially important. If a threat actor can come from many rotating covert networks, each with hundreds of thousands of endpoints, then one set of indicators loses value quickly. Traditional static blocklists age out faster, while the adversary’s infrastructure keeps refreshing as devices are patched, replaced, or newly compromised.
This is a broader trend in cyber conflict. Attackers increasingly prefer scale, churn, and ambiguity over precision and permanence. That does not mean their operations are more sophisticated in every respect, but it does mean they are optimizing for the realities of modern defense: automated blocking, global telemetry, and fast takedown coordination. The result is a kind of infrastructure warfare in which the battlefield is made of cheap, unstable, and partially owned devices.

Why this matters for defenders​

For defenders, the advisory is effectively a warning that perimeter-centric thinking is failing. If malicious activity is arriving through consumer routers, vulnerable cameras, or obsolete firewalls, then the question is not merely “who is attacking us?” but “what is the relay chain doing on the way in?” That changes incident response, detection engineering, and attribution analysis all at once.
It also means target organizations may see traffic that looks normal at first glance. Covert network nodes can be legitimate consumer devices that are compromised without their owners’ knowledge, and some infrastructure may even be used by legitimate customers alongside hostile operators. That makes the risk messy rather than cleanly malicious, which is precisely why defenders need better visibility into edge behavior.

• Static IP reputation alone is no longer enough
• Consumer-grade devices are now part of enterprise threat modeling
• Threat hunting must account for rapid node churn
• Attribution may require behavioral evidence, not just source addresses
• Edge-device telemetry becomes strategically valuable

---

The Anatomy of a Covert Network​

The advisory’s topology model is intentionally generalized because specific covert networks go stale quickly. Even so, the basic architecture is familiar: an operator connects through an on-ramp or entry node, traffic traverses multiple compromised devices, and exits through a node often located in the same region as the target. That regional proximity helps blend traffic into local patterns and can reduce suspicion.

Entry, traversal, and exit​

The key insight is not that the network exists, but that it behaves like a routing fabric. Entry nodes are not necessarily the actual source of compromise; they are simply the first hop in a longer chain. Traversal nodes provide layer after layer of obfuscation, making simple geolocation or single-hop filtering ineffective. Exit nodes then present traffic to victims in a way that can look locally plausible.
That layered structure echoes the logic of anonymity systems, but with a criminal or state-linked twist: the nodes are not voluntary privacy relays, they are compromised infrastructure. That matters because the defenders’ options differ radically. You cannot negotiate with a botnet the way you might with a commercial VPN or cloud provider. You have to hunt, contain, and harden against recurring compromise.
A further complication is that these networks are not static. The NCSC says new networks are regularly developed and existing ones evolve because of defensive action, legal intervention, software updates, and the appearance of new exploits. So even a well-documented network can change shape beneath the defender’s feet.

What gets pulled into the mesh​

The advisory says the networks are mainly built from compromised SOHO routers, with IoT and smart devices also heavily represented. The earlier FBI/CNMF/NSA advisory on the Integrity Technology Group botnet showed a similar pattern, listing routers, firewalls, NAS systems, and IoT devices, and noting that the botnet used a Mirai-derived malware family to automate compromise. That consistency suggests the underlying attack surface is broad, persistent, and still under-defended.
The 2024 advisory is especially revealing because it found that the botnet had more than 1.2 million records in a MySQL database and over 385,000 unique U.S. victim devices in that database as of June 2024. Those figures help explain why the 2026 guidance emphasizes dynamic filtering and hunting. Once a network gets that large, the problem becomes less about one compromised node and more about an industrial-scale relay ecosystem.
There is also a lifecycle issue. Many affected devices are not simply old, end-of-life products. The FBI said many compromised devices in the Integrity Tech-controlled botnet were likely still supported by vendors. That means patching alone is not a universal answer; exposure, default settings, and weak administrative hygiene still matter a great deal.

• SOHO routers remain the workhorse of covert-network abuse
• IoT devices widen the attack surface dramatically
• Supported devices can still be compromised if weakly configured
• Botnet management has become organized and database-driven
• Geographic proximity can help hide malicious exits

---

The China-Nexus Dimension​

The advisory is careful in its language, but its strategic message is clear. It ties these networks to China-nexus cyber actors and says they have been used by groups including Volt Typhoon and Flax Typhoon. That places covert-network abuse within a larger ecosystem of state-linked cyber operations that span espionage, pre-positioning, and access maintenance.

From espionage to pre-positioning​

Volt Typhoon became widely associated with stealthy access and pre-positioning on critical infrastructure. The NCSC advisory says those actors used covert networks to route activity in support of those operations. That matters because it suggests the relay layer is not just about hiding reconnaissance; it can support operational access before any overt action is taken.
Flax Typhoon, by contrast, is cited as having used a different covert network for cyber espionage. The broader implication is that multiple China-nexus groups may be sharing the same operating culture, infrastructure patterns, or even parts of the same relay ecosystem. That makes a single attribution model less useful than a threat-ecosystem model.
The 2024 FBI advisory also linked Integrity Technology Group to botnet control and noted its association with Flax Typhoon, RedJuliett, and Ethereal Panda activity. That is significant because it suggests a commercial or quasi-commercial support layer may exist around some of these operations. Whether that support layer is direct tasking, enabling services, or permissive infrastructure use, it complicates the traditional state-versus-criminal binary.

Why the support ecosystem matters​

A state actor does not need to build every relay node itself if a broader ecosystem can do it more cheaply and at scale. The advisory’s mention of Chinese information security companies is therefore a notable clue. It implies the line between intelligence support, contractor capability, and cybercriminal tooling may be more porous than many defenders assume. That is not the same as proof of a single centralized program, but it is a warning that the service layer around cyber operations deserves attention.
This has direct implications for policy and defense. If covert networks are sustained by an ecosystem rather than one-off implants, then takedowns, sanctions, and attribution statements can help but won’t be sufficient on their own. Defenders will need to harden the perimeter, improve edge-device hygiene, and plan for repeated reconstitution of hostile routing infrastructure.

• Volt Typhoon and Flax Typhoon are part of a broader pattern
• Covert networks support both espionage and pre-positioning
• Infrastructure sharing may blur group boundaries
• Commercial enablers can reduce operational cost
• Strategic defense must assume recurring reconstitution

---

Why Traditional Defenses Fall Short​

The advisory makes a strong case that older network-defense assumptions are breaking down. Static IP blocklists, once useful against fixed infrastructure, are far less effective when adversary traffic can emerge from hundreds of thousands of compromised nodes that change over time. In that environment, the defender is always behind if their controls are too brittle.

The IOC extinction problem​

“IOC extinction” is the phrase that should ring loudest for many security teams. An indicator that is valid today may be useless tomorrow because the node is patched, removed, or replaced by another compromised device. That means analysts need to prioritize behavior, traffic patterns, certificates, banners, and upstream mapping instead of relying too heavily on any single list of bad IPs.
The advisory’s recommendation to use NetFlow and map upstream to new nodes is a good example of this shift. Rather than waiting for a known bad address to appear, defenders can trace traffic relationships, identify clusters of suspicious infrastructure, and look for shared attributes across nodes. This is a more resilient model because it focuses on the network’s structure, not just one endpoint on it.
There is also a detection-rate problem. If some covert-network nodes are used by legitimate customers as well, overly aggressive blocking can create collateral damage and reduce confidence in the security team. The defensive goal is not to block everything unusual, but to distinguish benign churn from malicious orchestration. That is a harder job, and it requires better telemetry.

The edge-device blind spot​

Many organizations still treat SOHO routers, smart devices, and peripheral network gear as low-priority assets. The advisory effectively argues that this is no longer defensible. If the edge becomes the ingress path for strategic adversary traffic, then edge inventory, patching, segmentation, and logging become enterprise-critical disciplines rather than housekeeping.
This is especially true where organizations rely on third-party systems with onward access to core networks. The NCSC specifically warns defenders to pay attention to these entry points and to disable remote access from third parties during incidents until systems are verified clean. That advice reflects a more realistic view of modern trust boundaries: the edge is no longer the edge once it can reach the center.

• Blocklists decay faster than covert networks evolve
• Traffic relationships matter more than single indicators
• Edge inventory is now a security control
• Third-party access paths increase risk materially
• Telemetry quality determines defensive success

---

Protective Advice for Smaller Organizations​

The advisory recognizes that not every organization can run a sophisticated threat-hunting operation. For smaller teams, the emphasis is on practical, high-return controls: patching, segmentation, strong passwords, disabling unused services, and keeping devices updated. These are not glamorous fixes, but they stop a lot of compromise at the source.

Baseline hardening that still works​

The FBI’s 2024 guidance remains highly relevant here. It recommends disabling unused services and ports such as automatic configuration, remote access, and file sharing protocols; segmenting IoT devices; monitoring traffic volume; applying firmware updates; replacing default passwords; and planning for device reboots. The fact that these basics still matter underscores how often botnets succeed through ordinary misconfiguration rather than exotic zero-days.
The NCSC’s 2026 appendix aligns closely with that advice. It emphasizes keeping devices up to date, preventing lateral movement, building logging capability, using modern supported platforms, restricting intruders’ ability to move freely, and deploying host-based intrusion detection where appropriate. In other words, the defensive answer is layered resilience, not a single silver bullet.
For smaller organizations, the most realistic improvement may be inventory discipline. If you do not know what SOHO gear, smart devices, or remote-access appliances exist on your network, you cannot patch, segment, or monitor them properly. Visibility is a control, not just a convenience.

A practical starter checklist​

• Identify all edge devices and confirm whether they are still supported.
• Change default credentials and remove unnecessary accounts or services.
• Apply firmware and software updates on a regular schedule.
• Segment IoT and guest devices away from core business systems.
• Monitor for unusual traffic spikes and unexpected outbound connections.
• Plan reboot and recovery procedures for compromised devices.
• Document third-party remote access paths and restrict them during incidents.

This kind of checklist may sound basic, but that is the point. The abuse pattern described in the advisory thrives on neglected infrastructure and weak operational discipline. Closing those gaps is often cheaper and more effective than trying to out-block a botnet with a handful of static rules.

• Inventory is the first defense
• Firmware patching remains essential
• Default credentials are still a major failure point
• Segmentation limits blast radius
• Reboots can disrupt some malware families
• Traffic monitoring should be routine, not reactive

---

Protective Advice for Large and High-Risk Organizations​

The advisory is especially direct for the largest or most at-risk organizations. It recommends active hunting for connections from IPs likely to belong to covert networks, tracking reported covert networks via banners and certificates, implementing dynamic blocklists, and using NetFlow feeds to map upstream nodes. That is a more mature, intelligence-led posture than simply waiting for alerts to fire.

Threat hunting at the edge​

For critical infrastructure, the NCSC points defenders to the Cyber Assessment Framework, which is designed for organizations under the highest levels of threat. That is an important signal that this advisory is not just about general best practice; it is about resilience in sectors where disruption, espionage, or pre-positioning could have national consequences.
The recommendation to look at banners and certificates is particularly useful. Covert networks may rotate IPs, but operational tooling often leaves fingerprints in service banners, TLS material, and node behavior. When those artifacts are correlated with network flows, defenders can often spot a hostile mesh even when individual addresses keep changing.
This approach also aligns with modern detection engineering. Rather than writing one rule to catch one bad endpoint, teams should write detections for the patterns that a class of infrastructure tends to exhibit. That can include timing, handshake behavior, certificate reuse, uncommon geographies, and sudden connectivity from low-trust consumer networks into high-value assets.

Why dynamic filtering is different​

Dynamic threat-feed filtering is not just a fancier version of blocking. It is a process for continuously ingesting intelligence, cross-checking it against local observations, and adjusting controls as the infrastructure changes. That requires automation, governance, and a willingness to revisit assumptions often. It is operationally demanding, but the alternative is to freeze controls around stale intelligence.
Large organizations should also pay special attention to upstream and downstream relationships. If one branch office, supplier, or remote-access appliance is participating in suspicious routing patterns, the question is not only whether that node is malicious. It is whether the broader trust chain has been poisoned by compromise elsewhere.

• Hunt for patterns, not just addresses
• Use certificates and banners as attribution aids
• Feed NetFlow into upstream mapping workflows
• Treat edge logs as strategic telemetry
• Adjust blocklists dynamically
• Use sector-specific resilience frameworks where applicable

---

Enterprise vs Consumer Impact​

The advisory is aimed at cyber security professionals, but the underlying risk is broader than any one audience. Enterprises face espionage, persistence, and operational disruption, while consumers and small offices face quieter but still serious risks from compromised home routers, cameras, and internet-connected appliances. Both groups are part of the same compromised-device ecosystem.

The enterprise angle​

For enterprises, the real issue is trust boundary collapse. If compromised consumer devices are used to route attacks into corporate environments, then source IP reputation becomes a weak proxy for risk. Security teams need to look at edge exposure, remote access architecture, and the extent to which third-party or unmanaged devices can bridge into critical business systems.
Critical infrastructure operators have even more at stake. The advisory specifically notes use against critical national infrastructure, which means covert networks can support operations that are not purely about data theft. They may also enable long-term positioning for disruption, sabotage, or coercive leverage. That raises the stakes from ordinary intrusion to strategic national-security risk.
Enterprises should also think about incident duration. Once attackers rely on a mesh of compromised nodes, containment can take longer because the infrastructure itself is fluid. That means playbooks need to include longer observation windows, multi-source correlation, and a plan for repeated reappearance of the same operational patterns under new IPs.

The consumer and small-office angle​

For consumers and small offices, the danger is often invisible. A router or camera can be compromised without obvious performance degradation, then quietly used as a relay for malicious traffic or a launching point for further attacks. That makes patching and device replacement more important than many users realize, especially for obsolete equipment that no longer receives updates.
The FBI’s earlier botnet advisory made clear that the problem is not limited to end-of-life devices. Even supported devices can be abused if credentials are weak, services are exposed, or firmware is not maintained. The practical lesson is that support status helps, but configuration still matters.

• Enterprises must protect trust boundaries
• Critical infrastructure faces pre-positioning risk
• Consumers often cannot see compromise directly
• Obsolete routers and cameras are high-value targets
• Supported devices are not automatically safe

---

Strengths and Opportunities​

The good news is that the advisory is unusually actionable. It does not merely warn about a threat trend; it explains the architecture, names the problem with current defenses, and gives concrete steps for both small and large organizations. That combination should make it easier for security teams to justify spending time on edge-device hygiene and traffic analysis rather than treating them as low-value chores.

• Clear strategic framing of how covert networks are changing China-nexus tradecraft
• Useful general topology model that helps defenders reason about unfamiliar infrastructure
• Strong emphasis on dynamic detection rather than stale blocklists
• Balanced advice for both small organizations and large enterprises
• Cross-agency alignment that should improve intelligence sharing
• Practical hardening steps that map to existing operational controls
• Better prioritization of edge-device security as a board-level issue

The advisory also creates an opportunity to modernize internal security programs. Many organizations already have logging, segmentation, and patch management programs on paper; the challenge is applying them consistently to edge devices and third-party access paths. The new guidance gives defenders a clear reason to bring those assets into scope and to treat them as first-class infrastructure.

---

Risks and Concerns​

The biggest concern is that covert-network tradecraft is inherently resilient. Even when defenders succeed in identifying one network, the underlying model can re-form through new devices, new nodes, and new geographies. That means the defensive burden is continuous, and organizations with limited staffing may struggle to keep pace.

• Infrastructure churn can outpace human response
• Static defenses lose value quickly
• False positives may rise when legitimate traffic shares characteristics with malicious nodes
• Edge-device visibility is often poor in real-world networks
• Legacy hardware can remain exposed for years
• Attribution may be complicated by shared infrastructure
• Resource constraints may leave smaller defenders behind

There is also a strategic risk in overconfidence. Because the advisory is framed around China-nexus actors, some organizations may assume the problem is geographically specific or intelligence-driven only. In reality, the lesson generalizes: any actor with access to large numbers of compromised devices can adopt this model. Treating it as a niche threat would be a mistake.
A final concern is operational fatigue. Dynamic filtering, threat-feed tuning, and continuous hunting can create alert overload if not well managed. Security teams will need careful prioritization so they do not drown in low-value indicators while missing the behavioral evidence that matters most.

---

Looking Ahead​

The next phase of this story will likely be defined by two competing pressures: attackers will keep exploiting disposable infrastructure at scale, while defenders will keep pushing more telemetry, automation, and coordinated takedowns into the edge. That is a healthy contest if organizations invest in visibility and resilience now. It is a dangerous one if they assume the old perimeter model still works.
The biggest operational question is whether enterprises can evolve fast enough to make edge-device security routine. If SOHO routers, remote-access appliances, and smart devices remain unmanaged or under-monitored, then the adversary will keep finding cheap relay infrastructure. If organizations finally bring those assets under the same discipline they apply to endpoints and servers, the economics of covert-network abuse get harder.

• Expect more advisory updates as covert networks continue to evolve
• Watch for vendor-side hardening of routers, IoT gear, and remote-access appliances
• Look for stronger intelligence sharing around banners, certificates, and node behavior
• Monitor whether dynamic blocklists become mainstream in enterprise SOCs
• Track how critical infrastructure operators adapt to pre-positioning risks

The broader lesson is that cyber defense is increasingly about managing ecosystems, not just machines. Covert networks of compromised devices show how adversaries can weaponize the everyday internet itself, turning ordinary consumer hardware into a strategic shield. The organizations that succeed against this model will be the ones that treat edge visibility, segmentation, patching, and behavioral hunting as core security functions rather than optional upgrades.

---

Source: CISA Defending Against China-Nexus Covert Networks of Compromised Devices | CISA