China-nexus covert botnets represent a fundamental shift in how state-sponsored Chinese actors conduct large-scale cyberattacks. On April 23, 2026, a joint advisory from 10 to 12 agencies including CISA, the FBI, the NSA, and the UK’s NCSC detailed a strategic escalation: instead of renting individual servers or using isolated infrastructure, Chinese threat groups are now weaponizing hundreds of thousands of compromised consumer routers, IoT devices, and smart appliances into industrialized networks of botnets. This is not theoretical—it is happening at scale right now, and the impact on critical infrastructure targets globally is already severe.
Key Takeaways
- Joint advisory from CISA, FBI, NSA, and international partners issued April 23, 2026, warns of China-nexus covert botnets infecting hundreds of thousands of devices worldwide.
- Volt Typhoon’s KV Botnet was disrupted by the FBI in January 2024 but successfully revived in November 2024 after a failed February 2024 attempt.
- Flax Typhoon controls the Raptor Train botnet, infecting 200,000 to 260,000+ devices globally, operated by Integrity Technology Group (sanctioned January 2025).
- Compromised devices include end-of-life Cisco and Netgear routers, DVRs, cameras, firewalls, and NAS systems—most unpatched and vulnerable.
- Covert networks enable traffic proxying, reconnaissance, malware delivery, data exfiltration, DDoS attacks, and infrastructure disruption while hiding attacker origins.
Why China-nexus Covert Botnets Matter Now
The shift to China-nexus covert botnets marks a watershed moment in state-sponsored cyber operations. Previously, Chinese threat actors relied on individually procured infrastructure—renting servers, buying domains, maintaining separate command-and-control systems. Each compromise was traceable, each attack attributable. That model is obsolete. According to the joint advisory, there has been a major shift in tactics over the past few years, moving away from individually procured infrastructure toward externally provisioned, large-scale networks of compromised devices. What makes this dangerous is scale and deniability. A single botnet can comprise hundreds of thousands of hijacked consumer devices. Attribution becomes murky. The origin of an attack becomes invisible. The cost to the attacker drops to near zero.
Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. This is not a theoretical vulnerability—it is an operational doctrine now deployed by Volt Typhoon, Flax Typhoon, Salt Typhoon, and Brass Typhoon, all of which target critical infrastructure. Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. For governments, utilities, financial institutions, and telecommunications providers, this means every unpatched router in their supply chain or network perimeter is a potential entry point for an adversary with state backing.
Volt Typhoon’s KV Botnet and the Pattern of Persistence
Volt Typhoon operates the KV Botnet, primarily composed of end-of-life Cisco and Netgear routers. In January 2024, the FBI disrupted this network in a coordinated takedown. But disruption is not destruction. Volt Typhoon attempted to revive the KV Botnet in February 2024—the attempt failed. Then, in November 2024, the group succeeded in reconstituting the network. This pattern reveals a critical truth: takedowns slow adversaries but do not stop them. As long as vulnerable devices remain in the wild, patient, well-resourced state actors will rebuild.
The devices Volt Typhoon targets are not latest. They are old. They are forgotten. End-of-life routers no longer receive security patches. Network administrators do not monitor them. They sit in closets, data centers, and network closets, faithfully passing traffic and invisibly compromised. This is the hidden infrastructure of the internet—unglamorous, unpatched, and exploitable at scale.
Flax Typhoon’s Raptor Train: Scale and Coordination
Flax Typhoon operates a different botnet called Raptor Train, which infected 200,000 to 260,000+ devices worldwide in 2024. This network is controlled by Integrity Technology Group, a Chinese information security company that was sanctioned by the US government in January 2025. The FBI has attributed Raptor Train operations directly to Flax Typhoon intrusions targeting critical infrastructure. The fact that a named company maintains these networks is significant—it suggests coordination, infrastructure investment, and operational continuity. These are not ad hoc compromises. They are maintained botnets, constantly updated and shared across multiple threat actors.
Raptor Train demonstrates the industrial scale of the threat. Two hundred thousand devices is not a small operation. It is a standing army of compromised machines, ready to proxy traffic, launch DDoS attacks, exfiltrate data, or deliver malware on command. And because the devices are scattered across the globe—consumer routers in homes, IoT cameras in offices, NAS systems in small businesses—the network is resilient to disruption. Take down one node, and thousands remain.
The Devices at Risk: Routers, IoT, and the Supply Chain
The devices targeted by China-nexus covert botnets are the ones most organizations overlook. SOHO routers from Cisco, Netgear, and Fortinet top the list. But the threat extends far beyond routers. Compromised devices include DVRs, IP cameras, webcams, network-attached storage (NAS) systems, and firewalls. Many are end-of-life, meaning they will never receive another security update. Many are unpatched even in their active lifecycle. And many are deployed in critical infrastructure environments where they were never expected to be compromised.
The supply chain vulnerability is particularly acute. Devices are shipped with default credentials. Firmware is outdated. Security is an afterthought. Once deployed, they become invisible—another box on a shelf, another node in the network. An attacker with persistence and patience can systematically identify, compromise, and integrate these devices into a botnet. The victim may never know until law enforcement or a security researcher reveals the compromise months or years later.
How Covert Networks Enable Attacks
The tactical value of China-nexus covert botnets lies in their versatility. These networks serve multiple purposes simultaneously. They proxy traffic, routing attacker commands through thousands of innocent devices to hide the true origin of an attack. They enable reconnaissance, allowing threat actors to scan networks and identify targets from inside the perimeter. They deliver malware, using the botnet as a distribution network. They exfiltrate data, moving stolen information through multiple hops to obscure its path. They launch DDoS attacks, overwhelming targets with traffic from distributed sources. And they disrupt operations, allowing actors to degrade or disable critical systems while maintaining plausible deniability.
One specific technique highlighted in the advisory is T1090.003, known as Proxy: Multi-hop Proxy, which routes traffic through multiple compromised devices to obscure the attacker’s location. This is not new tradecraft, but its deployment at scale through industrialized botnets is a significant operational upgrade.
What Organizations Should Do
The joint advisory from CISA, the FBI, the NSA, and international partners provides a clear warning but limited prescriptive guidance for defenders. The underlying message is straightforward: patch everything, monitor everything, and assume that unpatched devices are already compromised. Organizations must inventory all network appliances, including forgotten routers, old IoT devices, and end-of-life equipment. Devices that cannot be patched should be isolated or removed. Network segmentation should assume that any device could be compromised. And threat intelligence teams should monitor for indicators of compromise associated with KV Botnet, Raptor Train, and other known China-nexus botnets.
For critical infrastructure operators, the stakes are existential. A compromised router in a power grid’s network perimeter could enable reconnaissance, malware delivery, or disruption. A hijacked camera in a financial institution could provide persistence for data exfiltration. The advisory makes clear that China-nexus cyber actors are not conducting espionage alone—they are positioning for disruption.
Why This Matters More Than Previous Campaigns
China-nexus covert botnets differ fundamentally from earlier state-sponsored campaigns. Previous operations relied on spear-phishing, zero-days, and targeted intrusions. They were sophisticated but small in scale. These botnet operations are industrialized. They are distributed. They are deniable. They do not require a zero-day. They do not require social engineering. They require only time, patience, and access to vulnerable devices that are already deployed everywhere.
The use of covert networks of compromised devices is not new, but China-nexus cyber actors are now using them strategically, and at scale. This is the distinction that matters. What was once a tactic is now a doctrine. What was once rare is now routine. And what was once a problem for a few critical infrastructure operators is now a systemic risk affecting every organization with network connectivity.
Can These Botnets Be Stopped?
Disruption is possible, as the FBI’s January 2024 takedown of KV Botnet proved. But disruption is temporary. As long as vulnerable devices remain in production and unpatched, adversaries will rebuild. The only durable defense is elimination of the vulnerable devices themselves—through patching, replacement, or removal from networks. This is not a technical problem alone. It is an operational, budgetary, and organizational problem. Many organizations do not know what devices are on their networks. Many do not have the resources to patch them all. And many assume that old, forgotten devices are not worth an attacker’s time. That assumption is now demonstrably false.
Is my router part of a China-nexus covert botnet?
If your router is an end-of-life Cisco, Netgear, or Fortinet model and has not received a security update in over a year, the risk is elevated. Check your router’s firmware version against the manufacturer’s latest release. If you cannot update it, consider replacing it. If you can update it, do so immediately. For organizations, conduct a network inventory and prioritize patching or replacing devices that match the profiles of known botnet victims.
What is the difference between China-nexus covert botnets and traditional DDoS botnets?
Traditional DDoS botnets like Mirai were designed primarily for volumetric attacks. China-nexus covert botnets serve multiple purposes: proxying, reconnaissance, malware delivery, data exfiltration, and disruption. They are also more persistent, maintained by dedicated teams rather than individual operators, and shared across multiple threat actors. This makes them more dangerous and more difficult to disrupt.
Why are Chinese information security companies operating these botnets?
The advisory reveals that networks are created and maintained by Chinese information security companies, with multiple networks existing simultaneously and constantly updated. This suggests state coordination or tacit approval. Whether these companies operate under direct government control or with implicit permission remains unclear, but the pattern points to industrialized, state-backed operations rather than independent cybercriminals.
The April 2026 advisory marks a turning point in how the world’s security agencies understand Chinese cyber operations. China-nexus covert botnets are no longer a theoretical risk or an isolated incident. They are a standing capability, deployed at scale, targeting critical infrastructure globally. For defenders, the message is urgent: patch, segment, monitor, and assume compromise. For policymakers, the challenge is clear: this threat cannot be disrupted by takedowns alone. It requires sustained investment in network resilience, device lifecycle management, and international coordination to hold state actors accountable.
Edited by the All Things Geek team.
Source: TechRadar
