China-linked threat actors have shifted from individually procured infrastructure to large-scale covert networks and botnets built from compromised SOHO routers, IoT, and other edge devices, the NCSC warns. The NCSC and partner agencies issued an advisory urging organizations to map and baseline edge-device traffic, monitor VPN and remote access connections, and adopt dynamic threat-feed filtering using known covert-network indicators. #FlaxTyphoon #IntegrityTechnologyGroup
Keypoints
- China-nexus groups increasingly use covert networks and botnets composed of compromised routers and IoT/smart devices.
- The NCSC, Cyber League, and partners published a joint advisory to help organizations defend against these networks.
- The advisory urges mapping and baselining of edge-device traffic and close monitoring of VPN and remote-access connections.
- Organizations should adopt dynamic threat-feed filtering that includes known covert-network indicators.
- Covert networks are often created and maintained externally by China-based firms and have been linked to Flax Typhoon and Integrity Technology Group, which faced EU sanctions.
Read More: https://www.helpnetsecurity.com/2026/04/24/ncsc-china-covert-networks-advisory/