UK warns of Chinese hackers using proxy networks to evade detection

Summary

The UK's NCSC and international partners (US, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, Sweden) issued a joint advisory warning that China-nexus threat actors have shifted to large-scale botnets comprising compromised SOHO routers, IoT devices, and NAS equipment to mask their malicious activity. The advisory highlights two major disrupted networks—Raptor Train (linked to Flax Typhoon, 260K+ devices infected in 2024) and KV-Botnet (used by Volt Typhoon)—and advises defenders to implement MFA, network mapping, dynamic threat feeds, and zero-trust controls.

Full text

UK warns of Chinese hackers using proxy networks to evade detection By Sergiu Gatlan April 23, 2026 08:28 AM 0 The United Kingdom's National Cyber Security Centre (NCSC-UK) and international partners warned that China-nexus hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection and disguise their malicious activity. This joint advisory, co-signed by agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, says the majority of Chinese hacking groups have switched from individually procured infrastructure toward vast bonets of compromised devices, primarily small office and home office routers, along with internet-connected cameras, video recorders, and network-attached storage (NAS) equipment. These massive botnets allow them to route traffic through chains of compromised devices, entering the network at one point, passing through multiple intermediate nodes, and exiting near the intended target to avoid geographic detection. "The NCSC believes that the majority of China-nexus threat actors are using these networks [..], that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors," the joint advisory reads. "These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices." Covert network basic setup (NCSC-UK) One such massive Chinese botnet, known as Raptor Train, infected more than 260,000 devices worldwide in 2024 and was linked by the FBI to malicious activity attributed to the Chinese state-sponsored Flax Typhoon hacking group and Chinese company Integrity Technology Group (sanctioned in January 2025). The FBI disrupted Raptor Train in September 2024 with help from researchers at Black Lotus Labs after linking it to campaigns targeting entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, primarily in the U.S. and Taiwan. A separate network (KV-Botnet) was used by the Chinese state-backed Volt Typhoon threat group and consisted primarily of vulnerable Cisco and Netgear routers that were out of date and no longer received security patches. The FBI also disrupted KV-Botnet by wiping malware from infected routers in January 2024, but Volt Typhoon slowly started reviving it in November 2024 after an initial failed attempt in February. "Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks," said Paul Chichester, NCSC-UK's Director of Operations. Western intelligence agencies that signed the advisory warned that traditional defenses based on blocking static lists of malicious IP addresses are becoming less effective as these botnets continuously add new compromised nodes. Instead, network defenders at small, medium, and large organizations are advised to implement multifactor authentication, map network edge devices, leverage dynamic threat feeds that include known covert network indicators, and, where possible, apply IP allowlists, zero-trust controls, and machine certificate verification. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: UK warns of Iranian cyberattack risks amid Middle-East conflictOver 20,000 crypto fraud victims identified in international crackdownUK sanctions Xinbi marketplace linked to Asian scam centersEurope sanctions Chinese and Iranian firms for cyberattacksUK’s Companies House confirms security flaw exposed business data

Indicators of Compromise

• malware — Raptor Train
• malware — KV-Botnet

Entities