Full Report
The United Kingdom's National Cyber Security Centre (NCSC-UK) and international partners warned that China-nexus hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection and disguise their malicious activity. [...]
Analysis Summary
# Threat Actor: China-Nexus Threat Actors (specifically Flax Typhoon & Volt Typhoon)
## Attribution & Identity
* **Identification:** Chinese state-sponsored threat actors.
* **Known Aliases:**
* **Flax Typhoon** (RedJuliett, Ethane).
* **Volt Typhoon** (Vanguard Panda, BRONZE SILHOUETTE).
* **Associated Entities:** Integrity Technology Group (a Chinese company sanctioned in January 2025 for links to Flax Typhoon).
## Activity Summary
According to the joint advisory from NCSC-UK and international partners (2024–2026 timeframe), Chinese threat actors have shifted from individually procured infrastructure to using large-scale botnets of compromised consumer devices.
* **Raptor Train:** A massive botnet linked to Flax Typhoon that infected over 260,000 devices by 2024.
* **KV-Botnet:** A network utilized by Volt Typhoon, disrupted by the FBI in early 2024, with subsequent attempts by the actor to revive the infrastructure in late 2024.
## Tactics, Techniques & Procedures
* **Proxy Chaining:** Routing malicious traffic through multiple intermediate nodes of compromised consumer devices to disguise the origin of the attack.
* **Geographic Evasion:** Using exit nodes located near the intended target to bypass geo-fencing and anomaly detection.
* **Exploitation of EoL (End-of-Life) Gear:** Targeting devices that no longer receive security patches.
* **Living off the Land:** Using covert networks to blend in with legitimate residential traffic.
* **Infrastructure Shifting:** Continuously updating and adding new nodes to covert networks to render static IP blocking ineffective.
## Targeting
* **Sectors:** Military, Government, Higher Education, Telecommunications, Defense Industrial Base (DIB), and IT sectors.
* **Geography:** Primarily United Kingdom, United States, Taiwan, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, and Sweden.
* **Victims:** Large-scale focus on critical infrastructure and government entities; indirect victims include owners of SOHO/IoT devices.
## Tools & Infrastructure
* **Botnets:**
* Raptor Train
* KV-Botnet
* **Compromised Devices:**
* Small Office Home Office (SOHO) routers (specific mention of Cisco and Netgear).
* Internet of Things (IoT) devices.
* IP Cameras and Digital Video Recorders (DVRs).
* Network-Attached Storage (NAS) equipment.
* **Infrastructure Management:** Use of covert networks created by private firms (e.g., Integrity Technology Group) for state-sponsored operations.
## Implications
The scale of these "covert networks" represents a strategic pivot in Chinese cyber operations. By highjacking hundreds of thousands of residential devices, threat actors can conduct high-volume reconnaissance and exploitation while remaining nearly invisible to traditional network defenses. This complicates attribution and makes reactive blocking (via IP blacklists) essentially obsolete.
## Mitigations
* **Identity Management:** Implement robust Multi-Factor Authentication (MFA).
* **Network Visibility:** Map all network edge devices and perform regular audits.
* **Zero Trust Architecture:** Implement zero-trust controls and machine certificate verification to ensure only authorized devices access resources.
* **Access Control:** Utilize IP allowlists (where possible) rather than rely solely on denylists.
* **Intelligence Integration:** Leverage dynamic threat feeds that provide real-time indicators of known covert network nodes.
* **Lifecycle Management:** Replace End-of-Life (EoL) equipment that no longer receives security updates.