Ethical Hacking News
A joint advisory issued by the UK's National Cyber Security Centre (NCSC-UK) and international partners has warned that Chinese hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection. These massive botnets allow them to disguise their malicious activity, making it challenging for defenders to detect and mitigate these attacks.
The advisory highlights the growing threat posed by Chinese hacking groups, which have switched from individually procured infrastructure toward vast bonets of compromised devices. The NCSC-UK advises network defenders to implement multifactor authentication, map network edge devices, leverage dynamic threat feeds, and apply IP allowlists, zero-trust controls, and machine certificate verification to protect themselves against this growing threat.
Stay informed about the latest cyber threats and stay ahead of the curve with our breaking news and expert analysis.
The UK's National Cyber Security Centre (NCSC-UK) has warned of a significant threat to global cyber security due to sophisticated proxy networks used by Chinese hackers. These large-scale networks, primarily comprising hijacked consumer devices, have become a major concern for international partners and agencies. The majority of China-nexus threat actors are using these networks, with multiple covert networks being created and constantly updated. Examples of Chinese botnets include Raptor Train and KV-Botnet, which were linked to malicious activity attributed to state-sponsored groups. Traditional defenses based on blocking static lists of malicious IP addresses are becoming less effective due to the continuous addition of new compromised nodes. Western intelligence agencies advise network defenders to implement multifactor authentication, map network edge devices, and leverage dynamic threat feeds to mitigate this threat.
The cyber security landscape has witnessed a significant evolution in recent years, with the emergence of sophisticated proxy networks being used by Chinese hackers to evade detection. A joint advisory issued by the UK's National Cyber Security Centre (NCSC-UK) and international partners has warned that these large-scale networks, primarily comprising hijacked consumer devices such as small office and home office routers, internet-connected cameras, video recorders, and network-attached storage (NAS) equipment, have become a significant threat to global cyber security.
The advisory, which was co-signed by agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, highlights the increasing use of these massive botnets by Chinese hacking groups to disguise their malicious activity. These networks allow hackers to route traffic through chains of compromised devices, entering the network at one point, passing through multiple intermediate nodes, and exiting near the intended target to avoid geographic detection.
The NCSC-UK believes that the majority of China-nexus threat actors are using these networks, with multiple covert networks being created and constantly updated. A single covert network could be being used by multiple actors, further complicating the task of detecting and mitigating these attacks.
One such massive Chinese botnet, known as Raptor Train, infected more than 260,000 devices worldwide in 2024 and was linked to malicious activity attributed to the Chinese state-sponsored Flax Typhoon hacking group and Chinese company Integrity Technology Group (sanctioned in January 2025). The FBI disrupted Raptor Train with help from researchers at Black Lotus Labs after linking it to campaigns targeting entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, primarily in the U.S. and Taiwan.
Another network, known as KV-Botnet, was used by the Chinese state-backed Volt Typhoon threat group and consisted primarily of vulnerable Cisco and Netgear routers that were out of date and no longer received security patches. The FBI also disrupted KV-Botnet by wiping malware from infected routers in January 2024, but Volt Typhoon slowly started reviving it in November 2024 after an initial failed attempt in February.
The NCSC-UK's Director of Operations, Paul Chichester, stated that "botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks." He warned that traditional defenses based on blocking static lists of malicious IP addresses are becoming less effective as these botnets continuously add new compromised nodes.
In response to this growing threat, Western intelligence agencies advise network defenders at small, medium, and large organizations to implement multifactor authentication, map network edge devices, leverage dynamic threat feeds that include known covert network indicators, and, where possible, apply IP allowlists, zero-trust controls, and machine certificate verification.
The emergence of sophisticated proxy networks being used by Chinese hackers to evade detection highlights the evolving nature of cyber threats. As these networks continue to grow in complexity and scope, it is essential for organizations and individuals alike to stay vigilant and take proactive measures to protect themselves against this growing threat.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Hackers-Utilize-Sophisticated-Proxy-Networks-to-Evade-Detection-ehn.shtml
https://www.bleepingcomputer.com/news/security/uk-warns-of-chinese-hackers-using-botnets-of-hijacked-consumer-devices-to-evade-detection/
https://www.theguardian.com/technology/2026/apr/23/china-cyber-hacker-using-everyday-devices-hack-uk-firms
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
Published: Thu Apr 23 08:38:51 2026 by llama3.2 3B Q4_K_M
