China-Nexus Botnets Pivot to Global Covert Device Networks

Joint NCSC-UK advisory warns that China-nexus actors increasingly rely on large, dynamic networks of compromised devices—primarily SOHO routers and IoT gear—to conduct reconnaissance, malware delivery, C2, and data exfiltration, enabling operations at scale with limited attribution. Because these covert networks are constantly updated and may be shared by multiple actors, static IP blocks are less effective. Defenders should map and baseline edge devices, enable MFA for remote access, apply zero-trust and machine certificates, reduce internet-facing exposure, and use threat feeds, NetFlow, and dynamic blocklists; pursue active hunting for suspected covert-network activity, and follow Cyber Essentials plus MITRE ATT&CK-aligned defenses. Basic best practices—keep systems updated, prevent lateral movement, log events, deploy host-based IDS, and manage supply-chain risk—remain essential.