Hackers working for the Chinese government are increasingly hiding their attacks behind ready-made networks of hacked routers and other networking equipment, the U.S. and several allies said on Thursday.
Attackers’ use of these so-called covert networks is not new, the agencies said in a joint advisory, “but China-nexus cyber actors are now using them strategically, and at scale.”
By funneling their activity through compromised networking equipment — mostly small office and home office (SOHO) routers, but also internet of things devices — hackers can obfuscate their origins and make it harder for defenders to spot reconnaissance, malware deployment and data exfiltration.
China-linked hackers used the KV Botnet, which included hundreds of malware-infected devices, for the Volt Typhoon attacks on U.S. critical infrastructure, and the Raptor Train botnet, which included more than 200,000 devices, for the Flax Typhoon attacks on Taiwan. Justice Department operations disrupted both of those botnets by removing the hackers’ malware from the infected devices.
Another China-linked SOHO botnet supported “a vast, prolonged intrusion operation” against Japan and Taiwan, according to a June 2025 report from SecurityScorecard, which dubbed the botnet LapDog.
The U.S. and its allies have evidence that Chinese cybersecurity companies build and maintain covert networks for Beijing’s use, according to the new advisory.
The Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, and the Department of Defense’s Cyber Crime Center issued the alert with cybersecurity and intelligence agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain and Sweden.
Router hacking frenzy
Other governments have used botnets to disguise their cyberattacks. In April, the FBI erased malware from SOHO routers that Russia’s military intelligence agency was using to hack government and critical infrastructure organizations.
Concerns about routers’ security vulnerabilities have grown so intense that the Federal Communications Commission in March banned the import of foreign-made routers, saying the devices represented too great of a supply-chain risk. In mid-April, the FCC exempted Netgear routers from the ban.
What defenders can do
To prevent their internet-connected devices from becoming part of a covert network, the advisory said, security professionals should map their networks, develop clear understandings of what normal connectivity looks like, consult threat intelligence about botnets and require remote connections to use multifactor authentication.
High-risk organizations should consider using IP allowlisting and other access controls to limit external connections, requiring SSL certificates, segmenting networks and otherwise applying zero-trust principles, according to the advisory.
“If a particular threat group could now come from one of many covert networks, each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors, old network defense paradigms of static malicious IP block lists will be less effective,” the advisory warned. “This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use.”
Correction: A previous version of this story misstated the extent of Netgear’s exception to the FCC router import ban.
