What happened
CISA, NCSC-UK, and 12 other national cybersecurity agencies published advisory AA26-113A on April 23, 2026, describing a major shift in China-nexus threat actor tactics toward large-scale networks of compromised SOHO routers, IoT devices, and smart devices (covert networks) used strategically across the cyber kill chain—from reconnaissance to data exfiltration. The advisory explains that multiple covert networks exist, are constantly updated, and can be shared by multiple threat actors, including Volt Typhoon and Flax Typhoon.
Why it matters
This represents the first comprehensive, multinational characterization of strategic botnet use by China-nexus actors, moving beyond individual APT disclosures to describe systemic infrastructure tactics. The guidance provides network defenders with technical IOCs, protective measures for organizations targeted via covert networks, and detection recommendations. For AI security teams, the advisory highlights infrastructure-layer threats that can obscure AI model abuse, API attacks, or agent-driven reconnaissance.
Action needed
Network defenders should review the advisory's IOCs, implement recommended protections for SOHO and IoT devices, and consider whether current monitoring can detect covert-network-sourced traffic. AI security teams should assess whether model abuse detection systems account for traffic originating from large-scale compromised device networks, which may evade traditional rate-limiting and geographic filtering.