NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
Summary
Hide ▲
Show ▼
NCSC-UK and partner agencies issued a joint advisory warning that China-nexus hackers are using hijacked consumer devices as covert proxy networks to hide malicious traffic. The warning spans SOHO routers, internet-connected cameras, video recorders, and NAS equipment across multiple countries. It matters because the networks help attackers evade detection and make static IP-based blocking less effective.
Related Happenings
Foreign-run botnets relaying traffic through infected Canadian devices
Malware Activity
H score22
First: 22.06.2026 12:11
Last: 22.06.2026 12:11
Sources 1
About this happening:
The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...
Foreign-run botnets relaying traffic through infected Canadian devices
Malware ActivityAbout this happening: The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...
AryStinger legacy-router reconnaissance and proxy network
Malware Activity
H score61
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger legacy-router reconnaissance and proxy network
Malware ActivityAbout this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
Campaign
H score72
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
AryStinger legacy-router and QNAP NAS reconnaissance campaign
CampaignAbout this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
CISA-led joint advisory to secure internet-exposed ATG systems
Public Sector Action
H score43
First: 05.06.2026 17:50
Last: 05.06.2026 17:50
Sources 1
About this happening:
On **2026-06-05**, **CISA**, the **FBI**, the **NSA**, the **Department of Energy**, and other U.S. partners issued a **joint advisory** telling **critical infrastructure organiza...
CISA-led joint advisory to secure internet-exposed ATG systems
Public Sector ActionAbout this happening: On **2026-06-05**, **CISA**, the **FBI**, the **NSA**, the **Department of Energy**, and other U.S. partners issued a **joint advisory** telling **critical infrastructure organiza...
Timeline
-
23.04.2026 15:28 2 articles · 2mo ago
NCSC-UK joint advisory warns of hijacked-device proxy networks
Industry Or Public Sector UpdateOn 2026-04-23, NCSC-UK and partner agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden issued a joint advisory warning that China-nexus hackers are increasingly using large-scale proxy networks built from hijacked consumer devices, including compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) and smart devices, video recorders, and network-attached storage (NAS) equipment, to route traffic through multiple nodes and evade geographic detection. The advisory also said static malicious-IP blocking is becoming less effective and urged multifactor authentication, network edge device mapping, dynamic threat feeds, IP allowlists, zero-trust controls, and machine certificate verification.
Show sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
- In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device — www.securityweek.com — 24.04.2026 17:31