Find notable cyber news and cases, enriched with sources, timelines, and signals.

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First reported
Last updated
Happening score
H score 66
2 unique sources, 2 articles

Summary

Hide ▲

NCSC-UK and partner agencies issued a joint advisory warning that China-nexus hackers are using hijacked consumer devices as covert proxy networks to hide malicious traffic. The warning spans SOHO routers, internet-connected cameras, video recorders, and NAS equipment across multiple countries. It matters because the networks help attackers evade detection and make static IP-based blocking less effective.

Related Happenings

Foreign-run botnets relaying traffic through infected Canadian devices

Malware Activity
H score22 First: 22.06.2026 12:11 Last: 22.06.2026 12:11 Sources 1

About this happening: The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...

AryStinger legacy-router reconnaissance and proxy network

Malware Activity
H score61 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...

AryStinger legacy-router and QNAP NAS reconnaissance campaign

Campaign
H score72 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** campaign is turning **legacy routers** and **QNAP NAS boxes** into a **distributed reconnaissance and proxy network**, creating a stealth relay layer for intrus...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

CISA-led joint advisory to secure internet-exposed ATG systems

Public Sector Action
H score43 First: 05.06.2026 17:50 Last: 05.06.2026 17:50 Sources 1

About this happening: On **2026-06-05**, **CISA**, the **FBI**, the **NSA**, the **Department of Energy**, and other U.S. partners issued a **joint advisory** telling **critical infrastructure organiza...

Timeline

  1. 23.04.2026 15:28 2 articles · 2mo ago

    NCSC-UK joint advisory warns of hijacked-device proxy networks

    Industry Or Public Sector Update

    On 2026-04-23, NCSC-UK and partner agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden issued a joint advisory warning that China-nexus hackers are increasingly using large-scale proxy networks built from hijacked consumer devices, including compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) and smart devices, video recorders, and network-attached storage (NAS) equipment, to route traffic through multiple nodes and evade geographic detection. The advisory also said static malicious-IP blocking is becoming less effective and urged multifactor authentication, network edge device mapping, dynamic threat feeds, IP allowlists, zero-trust controls, and machine certificate verification.

    Show sources