China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
China-nexus threat actors are industrializing covert botnet infrastructure, expanding deniable reconnaissance, malware delivery, and data exfiltration against US organizations. The shift matters because shared pools of compromised SOHO routers and IoT devices make attribution harder and scale operations across multiple groups. The model also increases resilience by letting maintainers refresh or swap nodes as devices are patched or removed.
Related Happenings
CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182
Public Sector Action
First: 15.05.2026 08:28
Last: 15.05.2026 08:28
Sources 1
About this happening:
**CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...
CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...
FCC extends router update waiver for deployed routers
Public Sector Action
First: 12.05.2026 00:15
Last: 12.05.2026 00:15
Sources 1
About this happening:
The **FCC** eased its restrictions on **foreign-made consumer routers** and extended the update waiver for already deployed devices in the **US** through **January 2029**. The mov...
FCC extends router update waiver for deployed routers
Public Sector ActionAbout this happening: The **FCC** eased its restrictions on **foreign-made consumer routers** and extended the update waiver for already deployed devices in the **US** through **January 2029**. The mov...
China-nexus hijacked-device proxy network campaign
Campaign
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
How related:
Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers.
About this happening:
China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
China-nexus hijacked-device proxy network campaign
CampaignHow related: Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers.
About this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
How related:
This week, the UK's National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations.
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionHow related: This week, the UK's National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations.
About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/Mitigation
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
**CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
CISA and NCSC-UK China-nexus covert device networks advisory
Advisory/MitigationAbout this happening: **CISA** and **NCSC-UK** released a new advisory warning organizations about **Chinese government-linked** covert networks built from **compromised devices**. The guidance says we...
Timeline
-
23.04.2026 23:52 2 articles · 1mo ago
NCSC-UK warns of China-nexus botnet industrialization
Initial DisclosureUK's National Cyber Security Centre (NCSC-UK) and partner agencies in the US and other countries warned that China-nexus threat actors are using covert botnets built from compromised routers, IoT devices, smart devices, and other vulnerable edge technologies to support reconnaissance, malware communication, and data exfiltration against US organizations. The advisory says groups such as Flax Typhoon and Volt Typhoon are using shared infrastructure at a scale that can include hundreds of thousands of endpoints, making attribution difficult and rendering static malicious IP blocks less effective, while organizations are urged to inventory edge devices, baseline normal connections, and consider geographic IP allow lists and zero-trust policies.
Show sources
- China-Backed Hackers Are Industrializing Botnets — www.darkreading.com — 23.04.2026 23:52
- China-Backed Hackers Are Industrializing Botnets — www.darkreading.com — 23.04.2026 23:52