China-Linked Hackers Abuse Routers for Cyber Operations

A significant, fast-moving cyber threat has emerged: hackers linked to China are actively building extensive networks of compromised routers and edge devices. These networks are then leveraged to conduct covert cyber operations against organizations globally, as detailed in a recent report.

Rather than setting up their own infrastructure from scratch, these threat actors have taken a smarter and far cheaper approach.

They are breaking into everyday networking equipment, such as home routers and small office devices, and quietly turning them into relay points for their attacks.

This method allows them to blend their malicious traffic with normal internet activity, making it much harder for defenders to trace attacks back to their origin.

The result is a powerful, hidden network that is constantly in motion and nearly impossible to pin down using traditional security tools.

The scale and flexibility of these covert networks make them particularly dangerous. China-nexus actors are now using these compromised devices across every stage of the Cyber Kill Chain.

From the earliest phases of scanning and reconnaissance, through malware delivery, all the way to command and control communications and final data theft, every step of the attack can be routed through ordinary, innocent-looking devices.

This means that an attack could appear to be coming from a home network in one country one day and a different location entirely the next.

Alongside co-sealing partner agencies and the Cyber League, the analysts at the UK’s NCSC identified this growing threat pattern and published an advisory on 23 April 2026.

They noted that these covert networks are not just used by one group. Multiple China-linked threat actors share the same pool of compromised nodes, refreshing and reshaping the network continuously.

This creates what the NCSC describes as “IOC extinction,” meaning that indicators of compromise, the digital fingerprints defenders normally use to detect attacks, vanish almost as soon as they are found.

The impact on targeted organisations is serious. Sensitive data can be stolen, and critical services could be disrupted, all while the attackers remain effectively invisible behind a wall of hacked consumer devices.

Organisations that depend solely on static defences, such as fixed IP block lists, are particularly at risk, because the infrastructure behind these attacks never stays the same long enough for those lists to be useful.

This marks a real shift in how cyber espionage operations are conducted at scale.

How the Covert Network Operates as a Shield

The core mechanic behind this threat is deceptively simple but operationally brilliant. When China-nexus actors want to attack a target, instead of connecting directly from a known server, they route their traffic through a chain of already-compromised routers and IoT devices, often belonging to regular households or small businesses.

These devices are typically running outdated firmware with unpatched vulnerabilities, making them easy targets for initial compromise. Once inside, the attackers install lightweight tools that silently pass traffic along the chain, leaving very little trace on the device itself.

Since the devices used in the network are constantly being swapped in and out, the infrastructure regenerates itself automatically.

Security teams that block one set of IP addresses will find that new nodes have already replaced them, rendering their defences obsolete within hours.

This is what makes machine learning-based anomaly detection and geographic profiling so important, as static rules simply cannot keep up with a network designed to constantly change its own shape.

The NCSC advisory offers clear guidance for organisations of all sizes to address this threat.

All organisations are advised to map and baseline their edge device traffic, especially VPN and remote access connections, and to adopt dynamic threat feed filtering that reflects known covert network indicators. Two-factor authentication should be enforced for all remote access.

Where possible, zero trust controls, IP allow lists, and machine certificate verification should be applied.

Larger and high-risk organisations are further advised to carry out active threat hunting across suspicious SOHO and IoT traffic, apply geographic profiling, and deploy machine learning tools capable of detecting unusual patterns before damage occurs.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.