Chinese-linked hacking groups are increasingly relying on large networks of compromised internet-connected devices, including home routers, printers, webcams and other smart systems, to conceal cyber espionage activity targeting Western organisations, according to a joint warning from intelligence agencies across multiple countries. The advisory, issued by the Five Eyes intelligence-sharing alliance comprising the United Kingdom, United States, Canada, Australia and New Zealand, alongside several partner nations, highlights that these networks are now being used at scale to mask malicious operations and bypass conventional security monitoring systems. The UK’s National Cyber Security Centre NCSC has confirmed that such techniques are no longer isolated but are instead widely adopted by multiple China-linked threat groups operating globally.
Officials report that these actors exploit unpatched vulnerabilities in internet-facing devices to build distributed networks of infected systems, which are then used as staging points for attacks. These compromised devices allow attackers to route traffic through legitimate infrastructure, making it significantly harder for defenders to identify suspicious activity using traditional indicators of compromise. Security agencies warn that this approach reduces the effectiveness of static IP blocking methods, as infected devices may be located within the same geographic regions as targeted organisations, meaning malicious traffic can appear legitimate. According to NCSC chief Richard Horne, China’s intelligence and military cyber operations have reached a high level of sophistication, with attackers continuously adapting to evade detection and attribution.
The advisory explains that these covert networks are used across multiple stages of cyber operations, including reconnaissance, malware delivery, command and control, and data exfiltration. By leveraging infected systems such as routers, VPN gateways and remote access tools, attackers can blend malicious activity into normal network traffic. Agencies advise organisations to shift toward intelligence-driven defence strategies, including detailed monitoring of traffic originating from internet-connected devices and remote access channels. They also recommend profiling inbound connections based on operating systems, time zones and configuration patterns to identify anomalies, as well as strengthening authentication controls through multifactor authentication for remote access systems.
The Five Eyes advisory links these techniques to several China-associated advanced persistent threat groups, including Volt Typhoon and Flax Typhoon. Volt Typhoon has reportedly maintained long-term covert access to critical infrastructure networks in sectors such as energy, communications, transport and water services in the United States, in some cases for periods exceeding five years. Flax Typhoon has been associated with a botnet of approximately 260,000 compromised devices spanning routers, firewalls, webcams and CCTV systems, which has been used for cyber espionage operations across multiple regions. The report also references commercially supported hacking ecosystems, where China-based firms such as Integrity Technology Group have allegedly operated large-scale infected device networks, including one known as Raptor Train that reportedly included more than 200,000 compromised devices worldwide in 2024.
Security agencies further warn that these infrastructures are highly dynamic, with endpoints constantly changing, making traditional defence mechanisms less effective. Multiple groups may also share or simultaneously use the same botnets, adding complexity to attribution and response efforts. The advisory calls for organisations to actively track advanced persistent threat indicators provided by national cyber authorities, implement adaptive security rules, and maintain continuous visibility over network traffic sources. Paul Chichester, director of operations at NCSC, noted that cyber groups linked to China have deliberately shifted toward using compromised infrastructure to hide malicious activity and avoid accountability, urging organisations to strengthen defences across all connectivity layers, including often overlooked edge devices and peripheral systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
