CISA, the UK NCSC, FBI, NSA, and nine additional allied agencies published joint advisory AA26-113A on April 23, 2026, detailing a documented shift in how China-nexus threat actors conduct cyber operations: they are no longer relying on individually procured infrastructure, and are instead weaponizing large botnets of compromised SOHO routers, IoT devices, network firewalls, and NAS systems to route espionage operations against critical infrastructure worldwide. The groups named in the advisory include Volt Typhoon, Salt Typhoon, and Flax Typhoon. If you manage network perimeter devices — routers, firewalls, cameras, NAS — and have not reviewed your exposure, this advisory is directed at you.
China-Nexus Covert Networks: What We Know So Far
The advisory describes a structural change in Chinese state-sponsored hacking operations. Rather than registering VPSes or using dedicated attack infrastructure, these actors are building what the agencies call “covert networks” — dynamic pools of compromised edge devices owned by third parties, including small businesses, home offices, and industrial operators. The devices act as relay nodes, masking the actors’ true origin and making attribution significantly harder for defenders and incident responders.
Three distinct threat clusters are highlighted:
Volt Typhoon used the KV Botnet, constructed primarily from end-of-life Cisco and NetGear routers that were no longer receiving security patches. The group used these nodes to conduct long-term, low-and-slow intrusions into U.S. critical infrastructure, including energy, water, and transportation sectors.
Flax Typhoon operated the Raptor Train botnet, which at its peak infected over 200,000 devices globally. Raptor Train was controlled by a Chinese company called Integrity Technology Group and consisted of SOHO routers, IP cameras, video recorders, firewalls, and NAS appliances. The FBI disrupted Raptor Train in a 2024 court-authorized operation, but the advisory confirms the underlying TTP — compromising consumer and business edge devices for use as relay infrastructure — has continued and expanded under multiple actors.
Salt Typhoon targeted backbone telecommunications infrastructure, using compromised telco provider equipment to establish persistent, covert access to sensitive communications.
These covert networks are used across the entire cyber kill chain: reconnaissance, malware delivery, command-and-control communication, and data exfiltration. The advisory notes that because these botnets rotate IP addresses and reuse infrastructure across multiple actors, traffic originating from them can appear indistinguishable from legitimate user activity, especially in environments that lack behavioral baselines.
The advisory is co-signed by the cybersecurity agencies of the UK, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden — a list that underscores this is not a U.S.-centric concern. Critical infrastructure operators across all of these jurisdictions are considered targets.
Why China-Nexus Covert Networks Matter
The key operational impact for defenders is attribution complexity. When an attacker’s traffic flows through a compromised residential router in your city, traditional IP-based blocklists and geolocation controls offer essentially no protection. The malicious traffic originates from a legitimate-looking IP address with no prior threat intelligence association.
This approach also degrades the value of standard network detection signatures. Traffic to and from a compromised Hikvision camera or a Netgear R7000 used as a relay looks like ordinary device traffic. Without behavioral analytics — specifically, detecting anomalous volumes, unusual external connection patterns, or unexpected protocol use from edge devices — these relay chains are difficult to spot.
For organizations with operational technology (OT) or industrial control systems (ICS) environments, the risk is compounded: OT networks often contain legacy devices that cannot be patched, creating a persistent reservoir of potential botnet candidates that are adjacent to high-value process systems.
China-Nexus Covert Networks: What You Should Do Now
-
Audit and inventory all network edge devices. Enumerate every router, firewall, NAS device, IP camera, and IoT appliance connected to your environment. Include devices on guest networks and OT segments. If you cannot account for a device’s firmware version and manufacturer support status, treat it as a risk.
-
Replace or isolate end-of-life network devices immediately. The KV Botnet was built almost entirely from routers no longer receiving patches. Check manufacturer support status for all edge devices. Cisco and Netgear both maintain published EoL lists. If a device is EoL and internet-facing, prioritize replacement.
-
Apply all available firmware updates to internet-facing devices. Run this check against your device inventory: confirm current firmware, compare against the manufacturer’s latest release, and apply updates. For IoT devices without an automatic update mechanism, establish a manual patch schedule — at minimum quarterly.
-
Change all default credentials on every network device. Flax Typhoon’s Raptor Train botnet exploited default or weak credentials as a primary initial access vector. Run a credential audit across all devices managed via web interfaces or SSH. Replace default passwords with unique, strong credentials and store them in a secrets manager.
-
Segment IoT and OT devices onto isolated VLANs. IoT devices — cameras, recorders, smart appliances — should have no lateral access to corporate networks. Apply strict firewall rules so that these devices can only communicate with their intended destinations (e.g., a camera system server), not to arbitrary internet IPs or internal workstations.
-
Baseline and monitor outbound traffic from edge devices. Deploy flow monitoring (NetFlow, sFlow, or equivalent) and alert on anomalous outbound connections from infrastructure devices. A router that begins establishing outbound connections to cloud storage endpoints or unknown IPs in unusual volumes is a meaningful indicator.
-
Enable logging on all perimeter devices and forward logs to a SIEM. The advisory specifically calls out log collection as a key defensive capability. Without perimeter device logs, detecting covert relay activity is functionally impossible after the fact.
Detection and Verification Checklist
Use the following checklist to assess your current exposure and confirm your defensive posture:
- Device inventory complete? All routers, firewalls, NAS, cameras, and IoT devices documented with model, firmware version, and EoL status.
- EoL devices identified? Cross-reference your inventory against manufacturer EoL lists. Flag any internet-facing EoL devices as critical risk.
- Default credentials changed? Verify via your secrets manager or direct login audit that no device retains factory default passwords.
- Firmware current? Compare installed firmware against manufacturer’s latest release for each device.
- Outbound traffic baselined? Do you have a flow-level baseline for what “normal” outbound traffic looks like from your edge devices?
- Logs flowing to SIEM? Confirm that syslog or equivalent is configured and actively forwarding from all perimeter devices.
- IoT/OT segmented? Verify VLAN assignments and firewall rules block lateral movement from IoT/OT segments.
- MFA on remote access? Confirm that all VPN and remote management interfaces require MFA.
Sources: CISA AA26-113A, CyberScoop Coverage, Security Boulevard, Industrial Cyber
For any query contact us at contact@cipherssecurity.com
