A newly released international cybersecurity advisory is sounding the alarm on a silent but rapidly escalating threat: covert networks of compromised devices operating at global scale. At the center of this warning lies a disturbing reality—your router, your camera, even your office firewall could already be part of the battlefield.

The report, , issued by a coalition of leading intelligence and cybersecurity agencies across the US, UK, EU, and allied nations, highlights a strategic shift in how China-linked cyber actors operate. Instead of relying on dedicated infrastructure, they are increasingly weaponizing vast networks of hijacked devices—so-called “covert networks” or advanced botnets.

One standout example mentioned is Raptor Train, a massive botnet that infected over 200,000 devices worldwide. But this is not just another botnet story. What makes Raptor Train—and similar networks—different is their strategic use. These networks are no longer just tools for spam or DDoS attacks. They are becoming foundational infrastructure for cyber espionage, pre-positioning attacks, and long-term infiltration of critical systems.

According to the advisory, these covert networks are primarily composed of compromised Small Office/Home Office (SOHO) routers, IoT devices, webcams, and network storage systems. Many of these devices are outdated, unpatched, and effectively abandoned by manufacturers. This creates a perfect storm: low-cost, globally distributed infrastructure that is difficult to detect and even harder to attribute.

The operational model is both simple and effective. As illustrated in the diagram on page 7 of the report, attackers route their activity through multiple layers of compromised devices—entry nodes, traversal nodes, and exit nodes—before reaching their target. This multi-hop architecture obscures the origin of attacks, making traditional attribution methods nearly useless.

More importantly, these networks are dynamic. Nodes are constantly added and removed, adapting in real time to defensive actions. This creates what cybersecurity experts call “IOC extinction”—the rapid obsolescence of traditional indicators of compromise like IP blocklists. In other words, by the time you block one malicious IP, a thousand more have already taken its place.

The implications are profound. These networks have already been used by groups like Volt Typhoon to infiltrate critical national infrastructure, and by Flax Typhoon for cyber espionage operations. The advisory suggests that multiple threat actors may even share the same covert networks, further complicating attribution and response.

Defending against this new class of threat requires a fundamental shift in strategy. The report emphasizes moving away from static defenses toward more adaptive, intelligence-driven approaches. Organizations are urged to map their network edge devices, baseline normal traffic patterns, and implement multi-factor authentication across all remote access points.

For higher-risk organizations, the recommendations go even further. Zero-trust architectures, machine learning-based anomaly detection, and strict allow-listing for network access are becoming essential. The goal is not just to block known threats, but to detect abnormal behavior in an environment where threats are constantly changing.

The advisory also highlights the importance of visibility. Monitoring network flows, tracking device behavior, and leveraging dynamic threat intelligence feeds are critical in identifying covert network activity. In some cases, organizations may need to treat these botnets as persistent threats in their own right, actively hunting for signs of infiltration.

What emerges from this report is a clear message: cyber warfare is no longer confined to specialized systems or elite infrastructure. It is embedded in the everyday fabric of the internet. The devices we rely on for convenience and connectivity are increasingly being repurposed as weapons.

Raptor Train is not just a botnet—it is a blueprint for the future of covert cyber operations. And unless defenses evolve just as quickly, the next wave of attacks may already be routed through devices sitting quietly in homes and offices around the world.

‍