China-nexus hijacked-device proxy network campaign
Campaign
Summary
Hide ▲
Show ▼
China-nexus hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection, making malicious traffic harder to trace and block. The infrastructure draws on SOHO routers, IoT devices, cameras, video recorders, and NAS equipment. Traffic is routed through chained intermediate nodes, allowing exits near intended targets and reducing the value of static IP blocking. The pattern is broad and ongoing, with multiple covert networks being created and updated across groups.
Related Happenings
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 23.04.2026 23:52
Last: 23.04.2026 23:52
Sources 1
How related:
Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers.
About this happening:
**China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor MetaHow related: Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers.
About this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
How related:
This week, the UK's National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations.
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionHow related: This week, the UK's National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations.
About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/Mitigation
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
**CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/MitigationAbout this happening: **CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
Internet-exposed Rockwell Automation/Allen-Bradley PLCs concentrated in the United States
Target Trend
First: 10.04.2026 18:52
Last: 10.04.2026 18:52
Sources 1
About this happening:
A measured exposure pattern shows **5,219** internet-facing **Rockwell Automation/Allen-Bradley** PLC hosts worldwide, expanding the attack surface for **industrial control** netw...
Internet-exposed Rockwell Automation/Allen-Bradley PLCs concentrated in the United States
Target TrendAbout this happening: A measured exposure pattern shows **5,219** internet-facing **Rockwell Automation/Allen-Bradley** PLC hosts worldwide, expanding the attack surface for **industrial control** netw...
Forest Blizzard DNS hijacking token-theft campaign against older routers
Campaign
First: 07.04.2026 20:02
Last: 07.04.2026 20:02
Sources 1
About this happening:
Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
Forest Blizzard DNS hijacking token-theft campaign against older routers
CampaignAbout this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...
Timeline
-
23.04.2026 15:28 2 articles · 1mo ago
NCSC-UK warns on China-nexus proxy networks
Initial DisclosureNCSC-UK and international partners warn that China-nexus hackers are increasingly using large-scale proxy networks built from hijacked consumer devices, including compromised SOHO routers, IoT and smart devices, cameras, video recorders, and NAS equipment, to route traffic through chained nodes and evade geographic detection; the advisory also recommends multifactor authentication, network-edge mapping, dynamic threat feeds, IP allowlists, zero-trust controls, and machine certificate verification.
Show sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
- China-Backed Hackers Are Industrializing Botnets — www.darkreading.com — 23.04.2026 23:52