NSA, FBI, NCSC: China-Nexus Botnets of 200K+ Devices Now Power Global Cyber Operations

17 international agencies issue a joint advisory revealing a strategic shift by Chinese actors toward commercially-maintained covert networks, enabling full cyber kill chains against global critical infrastructure.

WASHINGTON, D.C. — In a massive display of intelligence community consensus, the National Security Agency (NSA), the FBI’s IC3, and the Cybersecurity and Infrastructure Security Agency (CISA) — alongside the UK’s NCSC and 13 other international partners — released comprehensive joint guidance today warning of an evolved Chinese cyber strategy. The agencies report that China-nexus threat actors have moved toward the use of large-scale, commercially maintained covert networks to mask their operations.

According to the NSA, these networks are composed of hundreds of thousands of compromised consumer devices — including SOHO routers, NAS units, and IoT hardware — which are used to facilitate the entire cyber kill chain. This shift marks an "evolution of tradecraft" intended to provide Chinese state-sponsored actors with a persistent, global launchpad for espionage and potential disruptive attacks against critical infrastructure.

The NCSC-UK and the FBI highlighted that these botnets are no longer just for simple proxying; they are now the backbone for reconnaissance, malware delivery, command-and-control (C2), and data exfiltration. This assessment comes just days after the NCSC warned that Russia, Iran, and China remain the primary drivers of threats against Western infrastructure, emphasizing a coordinated and sustained pressure on digital borders.

Threat Intelligence: China — Nexus Covert Networks
Intelligence Vector	Agency Assessment
Network Scale	Over 200,000 compromised devices globally (e.g., Raptor Train) — 8,500+ identified in the UK alone.
Operational Impact	Causes "IOC Extinction." Indicators of Compromise vanish rapidly as the botnet infrastructure is constantly refreshed.
Key Actors	Flax Typhoon and Salt Typhoon confirmed using these networks — commercially maintained by firms like Integrity Technology Group.

Intelligence Analysis: "IOC Extinction" and Commercial Backing

The strategic pivot relies on a concept the NSA describes as "IOC extinction." Because these networks utilize legitimate residential and small-business IP addresses that are constantly being cycled, traditional IP-based blocking and static threat feeds are effectively rendered obsolete. When a defender identifies a malicious IP, the actor has already moved their operation to a different node within the 200,000-device swarm.

Furthermore, the intelligence points to a sophisticated commercial ecosystem within China. Firms such as Integrity Technology Group are reportedly responsible for building and maintaining these botnets and covert networks as a service for state-sponsored actors. This commercialization allows threat groups like Flax Typhoon and Salt Typhoon to focus on their primary objectives while the heavy lifting of infrastructure maintenance is outsourced. To track similar high-level aggressors, visit our nation-state operations archive.

Targets: Critical Infrastructure at Risk

The 17-agency advisory makes it clear that the targets are not accidental. These covert networks are being positioned against:

Telecommunications & Managed Service Providers (MSPs)
Government and Military Entities
Energy, Transport, and Water Systems

By embedding their traffic within the noise of everyday internet usage, Chinese actors can maintain a "low and slow" presence inside critical networks, ready to pivot from intelligence gathering to destructive action if commanded.

The CyberSignal Analysis

Signal 01 — The Death of the Static Indicator

This joint advisory signals the end of an era for defenders who rely on "pulling a list of bad IPs." When botnets reach the scale of the Raptor Train (200,000+ devices), the adversary is essentially moving at the speed of the internet itself. "IOC extinction" means defenders must shift their focus from who is connecting (the IP) to how they are connecting (behavioral patterns).

Signal 02 — The Commercialization of Statecraft

The involvement of private Chinese info-sec firms in building these networks represents a "military-civil fusion" that is difficult to combat. These firms provide the PRC with a level of deniability and a rapid development cycle that traditional government bureaucracies cannot match.

Defensive Mitigations: Hardening the Edge

The joint advisory provides a specific roadmap for organizations — particularly those in critical infrastructure — to defend against these covert networks:

Baseline Edge Traffic: Organizations must map and baseline all traffic from edge devices to identify anomalous outbound connections.
Zero Trust Architecture: Implement Zero Trust principles and utilize geographic allow-lists to restrict connections to known-good regions.
Active Hunting: Proactively hunt for SOHO/IoT traffic patterns that match known botnet C2 behaviors.
Machine Certificates: Require machine-based certificates for all SSL connections to ensure only managed devices can touch the network.

"The NCSC believes the majority of China-nexus threat actors are using these networks... Botnet operations represent a significant threat to the UK," stated NCSC Director Paul Chichester.

Sources

Type	Source
Gov Advisory	NSA: Joint PRC Guidance
Executive Brief	NCSC UK: Botnet Defense Summary
Technical PDF	IC3/FBI: Advisory 260423

South Korea Fines Matchmaking Giant Duo $815K After 427K Users' Weight, Religion, Assets Leaked

CISA Orders Feds: Patch BlueHammer Defender Zero-Day by May 7 or Explain Why Not

Apple Patches iOS Bug FBI Exploited to Recover Deleted Signal Messages (CVE-2026-28950)

Rilian Raises $17.5M for AI-Native Security Orchestration Platform Caspian