TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Cyberattacks & Data Breaches Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia by Nate Nelson Apr 24, 2026 4 Min Read Cyber Risk 'Zealot' Shows What AI's Capable of in Staged Cloud Attack 'Zealot' Shows What AI's Capable of in Staged Cloud Attack by Jai Vijayan Apr 23, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyber Risk Cyberattacks & Data Breaches Threat Intelligence Vulnerabilities & Threats News China-Backed Hackers Are Industrializing Botnets China's state-backed groups are now using covert networks of compromised devices to execute attacks in a low-cost, low-risk, and deniable way. Jai Vijayan , Contributing Writer April 23, 2026 5 Min Read Source: GagoDesign via Shutterstock This week, the UK's National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations. Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers. Chinese threat groups like Flax Typhoon and Volt Typhoon have then been using these networks to conduct reconnaissance, deliver and communicate with malware, and to exfiltrate data in a "low-cost, low-risk, deniable way," the joint advisory noted. "They can also be used for general deniable Internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims, without attribution," the agencies said. "Some covert networks are also used by legitimate customers to browse the Internet, making it challenging to attribute malicious activity." Related: 'Zealot' Shows What AI's Capable of in Staged Cloud Attack The advisory goes on to add that threat actor use of botnets to carry out attacks is not new. What has changed however, is that China-affiliated threat groups are now using them strategically and at a scale previously unseen. According to the UK's National Cyber Security Centre (NCSC-UK), China-backed actors have created numerous botnets that they are constantly updating and keeping in a state of readiness for use by the country's state backed threat groups. In addition to constantly adding new covert networks to the pool, the creators and maintainers of these botnets are also constantly changing them in response to defensive or legal actions. Confounding matters is the fact that multiple China-nexus threat groups might use the same botnet at the same time, making it hard for defenders to identify and block them. Network defense approaches, like using static malicious IP blocks, are not effective when a particular threat act could from any one of many covert networks, "each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors," the advisory said. "This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use." Botnets of Mostly SOHO Routers Most of the covert botnets that Chinese actors are using consist of compromised SOHO routers. But they can also include other vulnerable edge technologies such as IoT devices, web cameras, video recorders, end of life routers, firewalls, and network attached storage devices. Related: Electricity Is a Growing Area of Cyber Risk "CISA and its partners are calling out a trend that’s been building for years: the industrialization of botnets," says Matthew Hartman, chief strategy officer at Merlin Group. "Chinese actors are likely leveraging a division of labor, with some groups compromising and maintaining large pools of SOHO routers and consumer IoT devices, then handing off or leasing that access for operations. That model increases both scale and plausible deniability." Hartman says the timing of the advisory likely has more to do with the volume and maturity of botnet use by Chinese threat actors rather than with newness. "Russian and Iranian groups have used similar tactics, but the scale and tempo of Chinese operations are what set this apart and justify a coordinated advisory," he says. Bradley Smith, senior vice president and deputy CISO at BeyondTrust, said the operational model that China-backed threat groups have taken mirrors that of initial access brokers in the cybercriminal ecosystem. The main difference here, is that the activity is state backed. "Chinese cyber operations have adopted a supply-chain model for offensive infrastructure: dedicated teams or contracted entities compromise and maintain large pools of SOHO routers, IoT devices, and edge equipment, then provision access to specific operational units based on mission requirements," he says. Specialization at each stage — compromise, curation, provisioning, operational use — makes attribution harder and takedown less effective. "Removing one operational user does not affect the underlying infrastructure pool," he points out. Related: Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now The approach works, he says, because the kind of SOHO devices and consumer-grade technologies that the attackers are targeting share the same structural vulnerabilities: default credentials, infrequent patching, no centralized management, and owners who do not know their devices are Internet-reachable. In fact, concerns that foreign-made routers might deliberately include these weaknesses — almost all SOHO and consumer-grade routers in the US fall under this category — prompted the US government to recently ban the import of new models of routers made outside the US The NCSC and other cyber agencies who issued this week's advisory recommend that organizations develop a clear picture of their network edge devices and all the assets that should be connecting with them. Organizations should baseline normal connections, like those from corporate VPNs, while looking out for unusual connections like one from a consumer broadband range. Larger organizations should consider building geographic IP allow lists, profiling incoming connections based on factors like operating system, time zones and configuration settings, and also implementing zero-trust policies for incoming connections. Organizations most at risk should consider actively tracking the activities of China-nexus APTs, conduct threat hunting, and track and map covert networks that industry or government threat intelligence sources might report on. It's important also for organizations not to think of the threat as coming purely from nation-state backed groups, says John Gallagher, vice president of Viakoo Labs at Viakoo. "For years now cyber criminals have been forming and managing botnet armies 'for hire'; the strong growth of the volume and velocity of DDoS attacks is a direct proxy of how infected IoT devices are," he says. If not nation state actors, cyber criminals can still profit from a botnet army for purposes like cryptojacking or credential stuffing. "Rather than focus on the 'who' — which is likely to be a hybrid of criminal organizations alongside of nation states — organizations should focus on 'what' and 'what to do'," he advises. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. See more from Jai Vijayan Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age M