China-Linked Groups Built Covert Botnets From Compromised Routers and IoT Devices
A joint advisory from the UK NCSC, the United States, and other international partners warned that China-nexus threat actors are increasingly using large covert networks of compromised SOHO routers, IoT devices, firewalls, and NAS systems to route malicious traffic, hide attribution, and support espionage and disruptive operations. The warning said these botnet-style proxy networks are used across the full cyber kill chain, from reconnaissance and malware delivery to command-and-control and data theft, and identified activity tied to Volt Typhoon, Flax Typhoon, and the Raptor Train botnet. Officials said Volt Typhoon’s KV Botnet relied heavily on end-of-life Cisco and Netgear routers, while Raptor Train infected more than 200,000 devices worldwide and was reportedly controlled by Integrity Technology Group.
Governments said the scale and churn of these compromised-device networks make traditional static IP blocklists increasingly ineffective, creating what some reporting described as rapid indicator loss or “IOC extinction.” Agencies urged organizations to map internet-facing and edge assets, baseline normal traffic from routers and IoT devices, enforce MFA, apply dynamic threat intelligence, use allow-listing and zero trust controls, and actively hunt for suspicious proxy-node behavior on residential, branch, and enterprise-connected infrastructure. The disclosures also linked the threat to broader Chinese pre-positioning activity against critical infrastructure and telecom environments, underscoring how weakly secured edge devices continue to provide durable operational cover for state-backed intrusions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
International advisory warns China-linked actors use covert device networks
On 2026-04-23, the UK NCSC and multiple international partners published a joint advisory warning that China-nexus actors had shifted to large-scale covert networks of compromised SOHO routers, IoT devices, firewalls, and NAS systems. The advisory said these networks support the full cyber kill chain, hinder attribution, and are used for espionage and pre-positioning against targets including critical infrastructure.
Cisco discloses ArcaneDoor-linked ASA/FTD vulnerabilities and releases fixes
Cisco disclosed multiple serious vulnerabilities affecting ASA and FTD products, including CVE-2024-20353, CVE-2024-20359, and CVE-2024-20358, and released software updates for weaknesses in the attack chain tied to the ArcaneDoor espionage campaign. Guidance urged organizations to patch immediately and investigate for signs of compromise using forensic indicators from Cisco and partner agencies.
Raptor Train botnet infects more than 200,000 devices worldwide
During 2024, the Raptor Train botnet compromised over 200,000 devices globally. Later reporting and advisories said the network was controlled by Integrity Technology Group and exemplified large-scale covert infrastructure used by China-linked actors.
ArcaneDoor attacks begin targeting Cisco ASA and FTD devices
Cisco PSIRT observed attacks starting in early 2024 in which threat actors targeted vulnerable Cisco ASA and Firepower Threat Defense devices, attempting to install malware and steal data from perimeter systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
US, allies warn of industrialized Chinese botnets | brief | SC Media
scworld.com
Open sourceHackers Abuse Compromised Routers to Hide China-Linked Cyber Operations
cybersecuritynews.com
Open sourceChina-linked crews turn routers into covert attack proxies • The Register
theregister.com
Open sourceGlobal klaxon sounded on covert networks of breached devices - SDxCentral
sdxcentral.com
Open sourceUseita vakavia haavoittuvuuksia Cisco ASA ja FTD-tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceUseita vakavia haavoittuvuuksia Cisco ASA ja FTD-tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceIc3 Alerts
ic3.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Flax Typhoon Used Raptor Train IoT Botnet to Mask Critical Infrastructure Intrusions
U.S. authorities and private-sector researchers said the China-linked threat actor **Flax Typhoon** operated a sprawling IoT botnet known as **Raptor Train** to conceal intrusions into critical infrastructure networks. Black Lotus Labs said the botnet had been active since 2020, at one point exceeding 60,000 live nodes and compromising more than 200,000 routers, NAS devices, IP cameras, and other internet-exposed systems. The operation used a multi-tier architecture and a custom Mirai-derived implant called `Nosedive`, which enabled remote command execution, file transfer, and retained **DDoS** capability while using in-memory execution and anti-forensics techniques. Researchers linked the activity to targeting in the United States and Taiwan across government, military, telecommunications, higher education, defense industrial base, and IT sectors, alongside scanning and likely exploitation attempts against **Atlassian Confluence** and **Ivanti Connect Secure** appliances. The **FBI** and Department of Justice said they disrupted the botnet in a court-authorized operation that removed malware from infected routers, and officials later said the action effectively dismantled infrastructure used by Chinese operators to hide follow-on hacking. Subsequent reporting said the botnet exploited dozens of vulnerabilities across edge and IoT products, with VulnCheck identifying **66 actively targeted CVEs** tied to the campaign, far more than were listed in CISA’s Known Exploited Vulnerabilities catalog. Additional reporting also pointed to corporate links around **Integrity Technology**, described as connected to Flax Typhoon and tied through competitive, partner, and client relationships to **i-SOON**, adding to the picture of a broader Chinese intrusion ecosystem supporting espionage and potential disruptive operations.
May 26, 2026
US Disrupts Volt Typhoon KV Botnet Built on Compromised SOHO Routers
The U.S. Department of Justice said a court-authorized FBI operation disrupted the **KV Botnet**, a network of hundreds of compromised small office and home office routers that the PRC-linked group **Volt Typhoon** used to mask follow-on intrusions against U.S. and foreign targets, including critical infrastructure. Officials said the botnet relied heavily on end-of-life **Cisco** and **NetGear** devices, and that the FBI removed malware from affected U.S.-based routers and severed communications with botnet controllers without disrupting legitimate router functions or collecting content. The government tied the activity to broader Chinese pre-positioning against sectors including communications, energy, transportation, and water, while warning that unsupported devices remain vulnerable to reinfection unless replaced or fully remediated. Reporting on the takedown said the action mirrored earlier U.S. botnet disruptions such as the 2022 operation against **Cyclops Blink**, the **Sandworm/GRU** botnet that abused WatchGuard and ASUS devices as command-and-control infrastructure. Subsequent research from Censys found that KV Botnet control infrastructure evolved after the December 2023 disruption, with operators in the **JDY** cluster largely retaining the same infrastructure patterns while shifting hosting providers and continuing activity linked to vulnerable `Cisco RV320/RV325` routers. The researchers said the botnet’s comparatively exposed infrastructure did not fully match Volt Typhoon’s usual stealthy tradecraft, raising questions about whether the KV Botnet was operated directly by Volt Typhoon or by a separate but related actor.
May 25, 2026
China-Linked Espionage Campaign Compromises Southeast Asian Edge Routers
Researchers reported a China-linked espionage campaign targeting enterprise edge routers in Southeast Asia with a custom Linux implant called `router.elf`. The malware uses encrypted HTTPS command-and-control over port 443 and Cloudflare DNS over HTTPS to conceal communications, while modifying `iptables` NAT rules to redirect downstream DNS traffic to attacker-controlled resolvers. Analysts said this gives the operators an infrastructure-level foothold for surveillance, traffic interception, and possible manipulation of internal network activity, including software update flows. The operation also appears to extend from compromised routers into Windows environments. Investigators linked the Linux activity to a secondary backdoor, `client_rc_start`, and to a Windows intrusion chain that deploys a Cobalt Strike Beacon through DLL sideloading, using a malicious `version.dll` loaded by `CrashReport.exe`. Shared command-and-control domains, URI patterns, cookie markers, user-agent values, and beacon timing indicate centralized control across the Linux and Windows components, while attribution clues cited in reporting include Mandarin-language strings, a `zh-CN` setting, and tooling overlaps with earlier China-linked operations.
Jun 1, 2026