China-nexus cyber actors are increasingly using large, dynamic covert networks of compromised SOHO routers, IoT and edge devices to route, hide and scale malicious activity such as reconnaissance, malware delivery, C2 and data exfiltration. These covert networks include named botnets like Raptor Train and KV Botnet and are managed using a mix of compromised devices and externally provisioned infrastructure to enable deniable, multi-actor operations. #RaptorTrain #VoltTyphoon
Keypoints
- China-nexus actors have shifted from using individually procured infrastructure to large-scale covert networks composed mainly of compromised SOHO routers, IoT and smart devices.
- Covert networks are used across the attack lifecycle—for reconnaissance, malware delivery, command-and-control, exfiltration, and deniable internet browsing by threat actors.
- Some covert networks are created and maintained by commercial Chinese information security companies; Raptor Train (managed by Integrity Technology Group) infected over 200,000 devices in 2024.
- Edge devices are often vulnerable because they are end-of-life or unpatched (e.g., Cisco and NetGear routers, web cameras, video recorders, NAS devices), allowing large-scale compromise.
- The dynamic, multi-actor nature of covert networks reduces the effectiveness of static IOC blocklists and requires dynamic threat feeds, behavioral detection and allow-listing approaches.
- NCSC guidance recommends mapping edge devices, baselining normal connections, multifactor authentication, IP/geographic allow lists for VPNs, zero trust, SSL machine certificates, NetFlow analysis and active hunting for covert network nodes.
MITRE Techniques
- [T1584.001 ] Compromise Infrastructure: Botnet – Botnets are used as core components of covert networks to provide large-scale compromised infrastructure for routing and operations (‘Botnets are used as core components of covert networks’)
- [T1584.002 ] Compromise Infrastructure: Network Devices – Edge network devices (SOHO routers, firewalls, NAS) are compromised and enlisted into covert networks to act as traversal and exit nodes (‘Devices are compromised and added to botnets’)
- [T1583.004 ] Acquire Infrastructure: Virtual Private Server – Virtual private servers are used as on-ramps into covert networks to provide initial access and management points (‘Virtual private servers (VPS) are used in covert networks, typically as on-ramps’)
- [T1090.003 ] Proxy: Multi-hop Proxy – Actors route traffic through multiple compromised devices to obfuscate origin and provide deniable connectivity (‘Used by China-nexus cyber actors to route traffic’)
Indicators of Compromise
- [Botnet names ] named covert networks used as infrastructure – Raptor Train, KV Botnet
- [Device types ] types of compromised endpoints used in networks – SOHO routers, web cameras and video recorders
- [Vendor/device models ] targeted product examples indicating likely vulnerable targets – Cisco routers, NetGear routers
- [Organization/actor names ] infrastructure operators and attributed actors – Integrity Technology Group, Flax Typhoon
- [Network artifacts ] observable network-level indicators to track covert networks – SSL certificates (banners and certificates), VPS endpoints
- [IP address ranges ] connection origins mentioned as detection focus – consumer broadband ranges, ISP-assigned addresses hosting SOHO routers (no specific IPs provided)
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a