DEFENDING Against China-Nexus Covert Networks of Compromised Devices explains the growing use by China-nexus actors of large-scale networks of compromised devices, or botnets, to route cyber activity. These covert networks are primarily built from compromised SOHO routers, IoT and smart devices, and have been used across multiple phases of the cyber kill chain, including reconnaissance, delivery, command and control, and data exfiltration.
The advisory notes that covert networks are often created and maintained by Chinese information security companies, with examples such as Raptor Train, which infected more than 200,000 devices in 2024 and was connected to Integrity Technology Group and to Flax Typhoon. It highlights that these networks can be used by multiple actors and that old network defence paradigms like static IP blocklists are less effective due to their dynamic nature.
According to the National Cyber Security Centre (NCSC-UK), the guidance also offers protective steps for organisations, including mapping edge devices, baselining VPN activity, leveraging dynamic threat feeds, implementing multifactor authentication for remote connections, and considering action to reduce internet-facing exposure. The advisory was released on 23 April 2026.