THE UK National Cyber Security Centre (NCSC) and partners warn that China-linked threat actors are now using large proxy networks built from hijacked consumer devices to route attacks and mask their identity, replacing smaller infrastructure with vast botnets. These networks span routers, cameras, video recorders and NAS systems, enabling operations to blend with normal traffic and evade detection, across the full Cyber Kill Chain from reconnaissance to data theft.
The advisory notes that covert networks are constantly refreshed and shared across multiple threat groups, making static defences less effective and creating what defenders call IOC extinction. Federal Bureau of Investigation reports describe large China-linked botnets, such as Raptor Train, used for state-aligned cyber activity, with the botnet dating back to May 2020 and peaking at 60,000 compromised devices in June 2023; more than 200,000 devices have been compromised since May 2020.
Guidance from the NCSC and partners recommends organisations map internet-facing assets, baseline traffic from edge devices, and employ dynamic threat feeds, two-factor authentication for remote access, zero-trust controls, and machine certificate verification to tighten resilience against these covert networks.