China-Nexus APT Actors weaponise SOHO router botnets to pre-position on critical infrastructure

Fifteen intelligence agencies across four continents have jointly warned that China-nexus cyber actors have fundamentally shifted tactics toward building and operating large-scale covert networks of compromised SOHO routers and IoT devices. The networks, sometimes exceeding 200,000 nodes, are being used to route every phase of offensive cyber operations from reconnaissance through data exfiltration, and critically, to pre-position offensive capabilities on critical national infrastructure targets.

The advisory, AA26-113A, was released jointly by the UK NCSC, CISA, FBI, NSA, and intelligence services from Germany (BfV, BND, BSI), the Netherlands (AIVD, MIVD), Spain (CCN), Sweden (NCSC-SE), Australia (ASD ACSC), Canada (CSE Cyber Centre), Japan (NCO), and New Zealand (NCSC-NZ). The breadth of co-sealing partners is itself significant: European agencies do not attach their names to threat advisories lightly.

The covert network architecture

The typical covert network uses compromised SOHO routers as traversal nodes, with traffic entering via an on-ramp node, hopping through multiple compromised devices, and exiting in the same geographic region as the target. Exit nodes masquerade as legitimate consumer broadband connections. The NCSC assesses that the majority of China-nexus threat actors now operate this way, that multiple covert networks exist simultaneously, and that a single network may serve multiple threat groups.

The Raptor Train network, controlled by Chinese information security company Integrity Technology Group, infected over 200,000 devices worldwide before FBI disruption. Volt Typhoon's KV Botnet, built mainly from end-of-life Cisco and NetGear routers, was used to pre-position on US critical infrastructure. Flax Typhoon built a separate covert network for espionage operations.

FIRESTARTER: persistence through firmware updates

Alongside the advisory, CISA and the UK NCSC released analysis of FIRESTARTER, a Linux ELF backdoor deployed on Cisco Firepower and Secure Firewall devices running ASA or Firepower Threat Defense software. FIRESTARTER exploits CVE-2025-20333 (missing authorization) and/or CVE-2025-20362 (buffer overflow) for initial access, then establishes persistence that survives firmware updates and reboots. The malware hooks into LINA, the device's core network processing engine, enabling arbitrary shell execution including deployment of the LINE VIPER post-exploitation implant.

CISA discovered FIRESTARTER on a US federal agency's Cisco Firepower device during continuous monitoring. The device had been patched in accordance with Emergency Directive 25-03, but the malware persisted. APT actors then used FIRESTARTER to redeploy LINE VIPER in March 2026, months after remediation, without re-exploiting the original vulnerability.

This is the operational reality: patching alone does not equal remediation when firmware implants survive updates.

The indicator extinction problem

Mandiant identified the core defensive challenge: indicator extinction. When threat actors can originate from any of multiple covert networks, each with hundreds of thousands of nodes, static IP blocklists become ineffective. New nodes replace patched devices continuously. The networks are dynamic by design.

So what / Action

For European organisations, this advisory is not abstract. The participating EU intelligence services are telling you that the covert networks are being used against targets in your region. Treat this as direct threat intelligence.

Map and baseline your network edge devices now. Understand what should be connecting to your VPNs and corporate services. Consumer broadband IP ranges connecting to enterprise infrastructure should trigger investigation, not acceptance. Implement allow-lists rather than deny-lists for VPN access where feasible. Deploy dynamic threat feeds that include covert network infrastructure. Enforce MFA on all remote connections. For larger organisations, profile incoming connections by operating system, time zone, and device characteristics to flag anomalies.

For Cisco ASA/Firepower operators: collect and analyse core dumps using the CISA-provided YARA rules for FIRESTARTER. If you patched for ED 25-03 but did not verify the device was clean, assume persistence may exist. Patching a compromised device does not remove the implant. Hard power cycle and rebuild from known-good images if compromise is confirmed.