Allied Cyber Agencies Warn China-Linked Hackers Are Building Covert Botnets From Home Routers

Overview

• A joint advisory from the U.K. NCSC, CISA, NSA, the FBI and partner agencies, issued Thursday, warns that Chinese state‑linked groups now rely on large covert networks of compromised devices.
• These networks hijack small office and home routers, cameras, recorders and other IoT gear to proxy attacks, making the traffic look normal and masking who is behind it.
• The agencies say multiple actors reuse the same covert networks, which are rebuilt often, so fixed IP blocklists age fast and indicators vanish as nodes churn.
• Investigators cite the Raptor Train botnet, linked to Integrity Technology Group, which infected about 200,000 devices worldwide in 2024, and they note earlier FBI assessments tying the firm to Flax Typhoon activity.
• Officials also highlight Volt Typhoon’s KV Botnet, which used many end‑of‑life Cisco and Netgear routers, and they urge organizations to baseline edge traffic, use dynamic threat feeds, enforce multi‑factor login and adopt zero‑trust controls with active hunting for risky SOHO and IoT traffic.