Defensive guidance recommends mapping edge devices, baselining normal connections (including VPN traffic), creating geographic IP allow lists, profiling connections by OS, time zone, and configuration, and adopting zero-trust for incoming connections; large organizations should threat-hunt and map covert networks from industry and government sources.

The guidance is issued as part of an ongoing, iterative security alert that will be updated as new details emerge.

Context notes that digital-asset losses in 2024 surpassed $2 billion, highlighting defender challenges as attribution becomes increasingly fluid.

Compromised endpoints can be leveraged for attacks even when under defender watch, underscoring the need for continuous vigilance and layered defense.

Recent context includes Google’s disruption of a residential proxy network that exploited hacked devices, illustrating the ongoing threat landscape.

International cyber authorities led by the U.K.’s NCSC warn that China-linked hackers are increasingly using covert networks of vulnerable everyday internet-connected devices to hide malicious activity and maintain persistent access.

Detecting these operations is hard due to disappearing evidence and rapid data erasure, which complicates disruption efforts.

Routers are highlighted as the riskiest IT devices in 2026, averaging 32 security flaws per device, more than computers, drawing attention to router security.

Historical botnet examples like KV Botnet (Volt Typhoon) and Raptor Train (Flax Typhoon) show DOJ disruption efforts against networked attacks targeting critical infrastructure and Taiwan, respectively.

Modern botnets are fluid and dynamic, lacking fixed structures, with entry, traversal, and exit nodes that mask origins, and many devices are end-of-life and no longer receive updates.

Blocking known malicious IPs is failing due to rapid device rotation and IOC extinction, complicating attribution.

The warning flags substantial threat to UK and global targets across military, government, higher education, telecoms, the defense industrial base, and IT sectors.