Skip to content
Tech News
← Back to articles

UK warns of Chinese hackers using proxy networks to evade detection

2026-04-23 | original
read original get VPN Proxy Server → more articles
Why This Matters

The UK and international cybersecurity agencies have issued a warning about Chinese hackers increasingly using large-scale proxy networks of hijacked consumer devices to evade detection. This shift to vast botnets composed of compromised IoT and home devices poses significant challenges for cybersecurity defenses and increases the risk of targeted attacks across various sectors. Understanding these tactics is crucial for both industry professionals and consumers to better protect their networks and devices.

Key Takeaways

The United Kingdom's National Cyber Security Centre (NCSC-UK) and international partners warned that China-nexus hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection and disguise their malicious activity.

This joint advisory, co-signed by agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, says the majority of Chinese hacking groups have switched from individually procured infrastructure toward vast bonets of compromised devices, primarily small office and home office routers, along with internet-connected cameras, video recorders, and network-attached storage (NAS) equipment.

These massive botnets allow them to route traffic through chains of compromised devices, entering the network at one point, passing through multiple intermediate nodes, and exiting near the intended target to avoid geographic detection.

"The NCSC believes that the majority of China-nexus threat actors are using these networks [..], that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors," the joint advisory reads.

"These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices."

Covert network basic setup (NCSC-UK)

One such massive Chinese botnet, known as Raptor Train, infected more than 260,000 devices worldwide in 2024 and was linked by the FBI to malicious activity attributed to the Chinese state-sponsored Flax Typhoon hacking group and Chinese company Integrity Technology Group (sanctioned in January 2025).

The FBI disrupted Raptor Train in September 2024 with help from researchers at Black Lotus Labs after linking it to campaigns targeting entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, primarily in the U.S. and Taiwan.

A separate network (KV-Botnet) was used by the Chinese state-backed Volt Typhoon threat group and consisted primarily of vulnerable Cisco and Netgear routers that were out of date and no longer received security patches. The FBI also disrupted KV-Botnet by wiping malware from infected routers in January 2024, but Volt Typhoon slowly started reviving it in November 2024 after an initial failed attempt in February.

"Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks," said Paul Chichester, NCSC-UK's Director of Operations.

... continue reading

Explore topics: ncsc-uk china hackers botnets small office routers internet of things
Related:
International joint action disrupts world’s largest DDoS botnets
Feds Disrupt IoT Botnets Behind Huge DDoS Attacks
US Takes Down Botnets Used in Record-Breaking Cyberattacks
“Sensorveillance” Turns Ordinary Life Into Evidence

© 2026 GoKawiil

About | Editorial Policy | Contact