Proxy networks of hijacked consumer devices leveraged by China-nexus APT groups for operational security
Summary
Hide ▲
Show ▼
China-nexus advanced persistent threat (APT) groups are increasingly routing malicious traffic through large-scale botnets composed of compromised consumer and small office/home office (SOHO) devices to evade detection and attribution. These botnets, primarily consisting of routers, IP cameras, video recorders, and NAS units, enable threat actors to chain traffic through multiple intermediate nodes, obscuring geographic origins and disguising malicious activity as benign traffic. The UK National Cyber Security Centre (NCSC-UK) and allied agencies report that the majority of Chinese state-sponsored groups now favor such proxy networks over traditional infrastructure procurement. Recent disruptions—including the FBI’s takedown of the Raptor Train botnet in September 2024 and disruption of the KV-Botnet in January 2024—highlight the scale and persistence of these operations, with some networks revived within months by threat actors.
Timeline
-
23.04.2026 15:28 1 articles · 2h ago
China-nexus threat groups pivot to botnet-based proxy networks for evasion
NCSC-UK and international partners report that China-nexus APT groups are increasingly using botnets of compromised consumer and SOHO devices to route malicious traffic through multiple geographic nodes, reducing detectability and attribution. The advisory notes that these covert networks are continuously updated and may be shared across multiple actor groups, with significant botnets such as Raptor Train (260,000+ devices, disrupted in September 2024) and KV-Botnet (linked to Volt Typhoon, disrupted and later partially revived) illustrating the operational scale and resilience of these tactics.
Show sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
Information Snippets
-
China-nexus APT groups are using botnets of hijacked consumer devices—primarily SOHO routers, IoT devices, and networked storage—to route malicious traffic through multiple compromised nodes, avoiding geographic detection and attribution.
First reported: 23.04.2026 15:281 source, 1 articleShow sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
-
A joint advisory from NCSC-UK and international partners (US, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, Sweden) states that most China-linked threat actors now rely on covert proxy networks composed of compromised SOHO and IoT devices.
First reported: 23.04.2026 15:281 source, 1 articleShow sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
-
The FBI linked the Raptor Train botnet—comprising over 260,000 infected devices worldwide—to operations attributed to the Chinese state-sponsored group Flax Typhoon and sanctioned entity Integrity Technology Group; the botnet was disrupted in September 2024.
First reported: 23.04.2026 15:281 source, 1 articleShow sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
-
The KV-Botnet, used by the Chinese state-backed Volt Typhoon group, was composed mainly of outdated, unpatched Cisco and Netgear routers; the FBI disrupted it in January 2024, though Volt Typhoon revived portions of it starting November 2024.
First reported: 23.04.2026 15:281 source, 1 articleShow sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28
-
Targeted sectors in reported campaigns include military, government, higher education, telecommunications, defense industrial base (DIB), and IT, primarily in the U.S. and Taiwan.
First reported: 23.04.2026 15:281 source, 1 articleShow sources
- UK warns of Chinese hackers using proxy networks to evade detection — www.bleepingcomputer.com — 23.04.2026 15:28