China-Backed Hackers Are Industrializing Botnets

CYBER RISK CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS China-Backed Hackers Are Industrializing Botnets China's state-backed groups are now using covert networks of compromised devices to execute attacks in a low-cost, low-risk, and deniable way. Jai Vijayan,Contributing Writer April 23, 2026 5 Min Read SOURCE: GAGODESIGN VIA SHUTTERSTOCK This week, the UK's National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations. Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers.  Chinese threat groups like Flax Typhoon and Volt Typhoon have then been using these networks to conduct reconnaissance, deliver and communicate with malware, and to exfiltrate data in a "low-cost, low-risk, deniable way," the joint advisory noted.  "They can also be used for general deniable Internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims, without attribution," the agencies said. "Some covert networks are also used by legitimate customers to browse the Internet, making it challenging to attribute malicious activity." Related:'Zealot' Shows What AI's Capable of in Staged Cloud Attack The advisory goes on to add that threat actor use of botnets to carry out attacks is not new. What has changed however, is that China-affiliated threat groups are now using them strategically and at a scale previously unseen. According to the UK's National Cyber Security Centre (NCSC-UK), China-backed actors have created numerous botnets that they are constantly updating and keeping in a state of readiness for use by the country's state backed threat groups. In addition to constantly adding new covert networks to the pool, the creators and maintainers of these botnets are also constantly changing them in response to defensive or legal actions. Confounding matters is the fact that multiple China-nexus threat groups might use the same botnet at the same time, making it hard for defenders to identify and block them. LOADING... Network defense approaches, like using static malicious IP blocks, are not effective when a particular threat act could from any one of many covert networks, "each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors," the advisory said. "This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use." Botnets of Mostly SOHO Routers Most of the covert botnets that Chinese actors are using consist of compromised SOHO routers. But they can also include other vulnerable edge technologies such as IoT devices, web cameras, video recorders, end of life routers, firewalls, and network attached storage devices.  Related:Electricity Is a Growing Area of Cyber Risk "CISA and its partners are calling out a trend that’s been building for years: the industrialization of botnets," says Matthew Hartman, chief strategy officer at Merlin Group. "Chinese actors are likely leveraging a division of labor, with some groups compromising and maintaining large pools of SOHO routers and consumer IoT devices, then handing off or leasing that access for operations. That model increases both scale and plausible deniability."  Hartman says the timing of the advisory likely has more to do with the volume and maturity of botnet use by Chinese threat actors rather than with newness. "Russian and Iranian groups have used similar tactics, but the scale and tempo of Chinese operations are what set this apart and justify a coordinated advisory," he says. Bradley Smith, senior vice president and deputy CISO at BeyondTrust, said the operational model that China-backed threat groups have taken mirrors that of initial access brokers in the cybercriminal ecosystem. The main difference here, is that the activity is state backed. "Chinese cyber operations have adopted a supply-chain model for offensive infrastructure: dedicated teams or contracted entities compromise and maintain large pools of SOHO routers, IoT devices, and edge equipment, then provision access to specific operational units based on mission requirements," he says. Specialization at each stage — compromise, curation, provisioning, operational use — makes attribution harder and takedown less effective. "Removing one operational user does not affect the underlying infrastructure pool," he points out. Related:Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now The approach works, he says, because the kind of SOHO devices and consumer-grade technologies that the attackers are targeting share the same structural vulnerabilities: default credentials, infrequent patching, no centralized management, and owners who do not know their devices are Internet-reachable.  In fact, concerns that foreign-made routers might deliberately include these weaknesses — almost all SOHO and consumer-grade routers in the US fall under this category — prompted the US government to recently ban the import of new models of routers made outside the US The NCSC and other cyber agencies who issued this week's advisory recommend that organizations develop a clear picture of their network edge devices and all the assets that should be connecting with them. Organizations should baseline normal connections, like those from corporate VPNs, while looking out for unusual connections like one from a consumer broadband range. Larger organizations should consider building geographic IP allow lists, profiling incoming connections based on factors like operating system, time zones and configuration settings, and also implementing zero-trust policies for incoming connections. Organizations most at risk should consider actively tracking the activities of China-nexus APTs, conduct threat hunting, and track and map covert networks that industry or government threat intelligence sources might report on. It's important also for organizations not to think of the threat as coming purely from nation-state backed groups, says John Gallagher, vice president of Viakoo Labs at Viakoo. "For years now cyber criminals have been forming and managing botnet armies 'for hire'; the strong growth of the volume and velocity of DDoS attacks is a direct proxy of how infected IoT devices are," he says.  If not nation state actors, cyber criminals can still profit from a botnet army for purposes like cryptojacking or credential stuffing. "Rather than focus on the 'who' — which is likely to be a hybrid of criminal organizations alongside of nation states — organizations should focus on 'what' and 'what to do'," he advises. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST More Webinars White Papers Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Reinventing the SOC with agentic AI Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS