In a coordinated alert this week, the UK’s National Cyber Security Centre (NCSC-UK), together with US and international cybersecurity partners, highlighted growing concerns around China-affiliated threat actors. The advisory noted that these actors are using covert botnet infrastructures built from hacked routers, IoT, and smart devices to conduct attacks against US-based organizations. 

Research points to Chinese cybersecurity companies playing a structured role in the creation and maintenance of these botnets, which are largely composed of small office/home office (SOHO) routers. 

The joint advisory highlighted that groups like Flax Typhoon and Volt Typhoon are actively using these botnet infrastructures for reconnaissance activities, malware delivery and communication, as well as data exfiltration—operating in what it described as a “low-cost, low-risk, deniable” fashion. 

According to the advisory, botnets have long been used by threat actors to conduct attacks. However, it highlights a key shift: China-linked groups are now leveraging these networks in a far more strategic manner and on an unprecedented scale. 

The UK’s National Cyber Security Centre (NCSC-UK) reports that China-affiliated actors have built a large number of botnets, maintaining them in a constant state of readiness for use by state-backed threat groups. Alongside expanding this pool with new hidden networks, operators are persistently adapting these botnets in response to law enforcement and security countermeasures. Adding to the complexity, several China-nexus groups may operate through the same botnet at once, complicating efforts to identify and block malicious activity. 

According to the advisory, relying on static IP blocking as a defensive measure is no longer sufficient, as threat actors may launch attacks from any number of covert networks. Each of these networks can include hundreds of thousands of endpoints and may be used by multiple threat groups simultaneously. The situation is made more complex by the dynamic structure of these networks, with new devices regularly joining as others are secured or removed. 

SOHO Router Networks Powering Modern Botnets  

Chinese threat actors largely rely on covert botnets built from hijacked SOHO routers. In addition, these botnets often incorporate a range of exposed edge devices such as IoT systems, surveillance cameras, digital video recorders, outdated routers, firewalls, and network-attached storage devices. 

"CISA and its partners are calling out a trend that’s been building for years: the industrialization of botnets," says Matthew Hartman, chief strategy officer at Merlin Group. "Chinese actors are likely leveraging a division of labor, with some groups compromising and maintaining large pools of SOHO routers and consumer IoT devices, then handing off or leasing that access for operations. That model increases both scale and plausible deniability." 

According to Hartman, the advisory appears to reflect the growing volume and maturity of botnet operations among Chinese threat actors, rather than indicating anything newly developed. 

According to Bradley Smith of BeyondTrust, China-affiliated threat actors are operating in a way that mirrors initial access brokers commonly seen in cybercrime networks. What sets them apart is that their operations are state-backed rather than purely criminal. 

"Chinese cyber operations have adopted a supply-chain model for offensive infrastructure: dedicated teams or contracted entities compromise and maintain large pools of SOHO routers, IoT devices, and edge equipment, then provision access to specific operational units based on mission requirements," he says. 

According to him, the success of this strategy lies in the inherent weaknesses of SOHO and consumer-grade technologies, such as unchanged default passwords, infrequent software updates, absence of centralized oversight, and limited user awareness about internet exposure. He adds that fears surrounding intentionally introduced vulnerabilities in foreign-made routers—covering the majority of such devices in the US—have prompted the US government to impose a recent ban on importing new router models produced abroad. 

According to the National Cyber Security Centre (NCSC) and other cybersecurity agencies issuing the advisory, organizations should map out their network edge infrastructure and identify all legitimate connecting assets. This includes baselining typical traffic, like corporate VPN connections, and detecting irregular activity, such as unexpected connections from consumer broadband networks. 

Enterprises should consider establishing geographic-based IP allow lists, analyzing inbound connections based on factors like OS, time zone, and system configurations, and adopting zero-trust frameworks for access control. Organizations facing elevated risk levels are encouraged to closely track China-nexus APT activity, carry out proactive threat hunting, and map covert infrastructures highlighted by government and industry intelligence sources. 

According to John Gallagher of Viakoo, it is crucial for organizations not to assume that only nation-state actors are responsible for such threats. He points out that cybercriminal groups have, for years, developed and rented out botnet infrastructures, with the increasing volume and velocity of DDoS attacks serving as an indicator of widespread IoT device compromise. Beyond nation-state use, these botnets are also leveraged for profit-driven activities like cryptojacking and credential stuffing. He recommends that organizations focus less on attribution—often involving both criminal and state actors—and more on understanding the threat and implementing effective defenses.