China-Nexus Covert Networks: Defending Against SOHO-Based Botnets

A joint cybersecurity advisory issued by the United States, United Kingdom, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, and Sweden highlights a major tactical shift by China-nexus APT actors. According to CISA and international partners, threat actors are moving away from individually procured infrastructure and instead utilizing large-scale covert networks of compromised devices to route their cyber activity.

These networks, often referred to as Operational Relay Box (ORB) networks, primarily consist of compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, firewalls, and Network Attached Storage (NAS) systems. By routing traffic through these systems, adversaries can effectively disguise the origin of their operations, making attribution and IoC tracking significantly more difficult for defenders.

Evolution of China-Nexus Infrastructure Tactics

The strategic use of botnets is not a new phenomenon, but the scale and sophistication currently employed by China-nexus actors represent a significant escalation. These covert networks are used throughout the entire Cyber Kill Chain, including performing scans for reconnaissance, delivery of malware, C2 communication, and the exfiltration of stolen data. Furthermore, these networks facilitate anonymous internet browsing, allowing actors to research targets and exploitation techniques without revealing their true identity.

A primary driver for this shift is the concept of “IoC Extinction.” Traditional network defense relies on static blocklists of malicious IP addresses. However, when an adversary can rotate through hundreds of thousands of legitimate consumer IP addresses within a covert network, static defenses fail. The dynamic nature of these networks, where nodes are constantly added or removed, renders traditional perimeter-based security less effective.

How to detect China-nexus covert networks

Identifying these networks requires moving beyond simple IP reputation. Defenders should analyze NetFlow data to identify suspicious multi-hop patterns and profile connections to corporate VPNs. Connections originating from consumer broadband ranges to sensitive enterprise endpoints should be treated as high-risk. Security teams can also track these networks by monitoring specific banners and certificates associated with known botnet management interfaces.

Case Studies: Raptor Train and KV Botnet

Recent investigations have identified several massive covert networks managed by Chinese information security companies. A prominent example is the Raptor Train network, which infected over 200,000 devices globally in 2024. This network was managed by the Integrity Technology Group, a company linked by the FBI to the activity of the threat actor known as Flax Typhoon. Raptor Train utilized a diverse array of hardware, including web cameras, video recorders, and SOHO routers, to provide an obfuscated path for espionage operations.

Similarly, the Volt Typhoon group utilized the KV Botnet to pre-position offensive capabilities on critical national infrastructure. The KV Botnet was composed largely of vulnerable Cisco and NetGear routers that had reached end-of-life status. Because these devices no longer receive security patches, they remain permanently vulnerable to known exploits, providing a stable foundation for long-term covert operations. The use of these networks by Volt Typhoon is particularly concerning as it facilitates Lateral Movement within sensitive networks while maintaining a low profile.

Defensive Strategies and Mitigation Guide

Defending against adversaries who utilize geographically distributed botnets requires a layered approach that prioritizes authentication and traffic profiling. Organizations must transition from reactive blocking to proactive monitoring of edge device behavior.

Volt Typhoon botnet mitigation steps

To counter the TTP used by groups like Volt Typhoon, defenders must implement the following controls:

• Hardened Remote Access: Implement multifactor authentication for all remote connections. For high-risk environments, apply IP address allowlists rather than deny lists to ensure only known, authorized remote worker IPs can access corporate VPNs.
• Network Visibility: Map and inventory all network edge devices. Establish a baseline for normal connection patterns and investigate anomalies, such as connections occurring outside of standard time zones or using unexpected operating system profiles.
• Zero Trust Integration: Transitioning to a Zero Trust architecture reduces the reliance on network location as a proxy for trust. Use machine certificates for SSL connections to ensure only managed devices can communicate with internal services.
• Lifecycle Management: Aggressively retire and replace end-of-life SOHO and IoT devices. Ensure all internet-facing hardware is running the latest firmware and is capable of providing logging data to a SIEM for analysis.

Finally, organizations with advanced capabilities should track covert networks as distinct threats. By leveraging MITRE ATT&CK mappings—specifically T1584.005 (Compromise Infrastructure: Botnet) and T1090.003 (Proxy: Multi-hop Proxy)—SOC teams can better align their detection logic with the reality of modern Chinese state-sponsored operations.