What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·5 min read

By Lyrie Threat Intelligence·4/30/2026

The Invisible Army Just Got Visible: CISA & NCSC-UK Expose China's Covert Botnet Industrial Complex

TL;DR

CISA and the UK's NCSC have issued a joint advisory warning that China-nexus APTs (Volt Typhoon, Flax Typhoon) have shifted from building their own infrastructure to renting professionally-managed covert botnets maintained by Chinese information security firms. These networks now coordinate reconnaissance, malware delivery, C2, and data exfiltration across hundreds of thousands of compromised routers and IoT devices—and remain nearly impossible to trace.

What Happened

On April 29, 2026, CISA and the National Cyber Security Centre (NCSC-UK) jointly released AA26-113A, a coordinated advisory detailing a fundamental shift in how state-sponsored Chinese threat actors conduct cyber operations. Rather than procuring and managing their own infrastructure—a time-consuming and attribution-prone approach—major APT groups including Volt Typhoon and Flax Typhoon are now leasing access to large-scale, professionally-maintained botnet networks.

The advisory confirms that these covert networks are being operated by Chinese information security companies acting as infrastructure-as-a-service providers. One documented example: Integrity Technology Group, a China-based firm, operates the Raptor Train botnet (which infected 200,000+ devices in 2024) and is directly attributed by the FBI as responsible for Flax Typhoon's computer intrusion activities.

The networks serve as a routing layer for the entire APT kill chain:

Reconnaissance scans → Originate from botnet nodes to evade geographic attribution
Malware delivery → Routed through compromised devices to mask the source
Command & control → Traffic passes through intermediate botnet nodes
Data exfiltration → Egress through chains of compromised devices to avoid detection at network boundaries

Technical Details

The Shift from Owned to Rented Infrastructure

Before 2023: APT groups like Volt Typhoon maintained their own infrastructure—data centers, C2 servers, compromised ISP routers. Detection relied on infrastructure fingerprinting, ASN tracking, and geographic correlation. Defenders could sometimes map the kill chain by following the IP trail.

Now (2026): The same groups route all traffic through shared, professionally-managed botnets. A single command might traverse:

1. Botnet entry node (compromised Cisco/NetGear router in South Korea)

2. Intermediate node (infected IoT camera in Thailand)

3. Exit node (hacked business router in Australia)

4. Target

This defeats traditional geolocation-based detection. The source appears to originate from a distributed cloud of legitimate device compromises, not centralized APT infrastructure.

The BaaS Economy

NCSC analysts believe the majority of China-nexus threat actors now use these networks. More critically: single botnets are shared across multiple APT groups. This creates a commodity infrastructure market where:

A company like Integrity Technology Group maintains the botnet
Multiple APT teams (Volt Typhoon, Flax Typhoon, others) rent access
The botnet is continuously updated with newly compromised devices
Attribution becomes nearly impossible—no single APT "fingerprint"

Device Categories Under Siege

The advisory specifically flags:

Residential routers (SOHO devices: TP-Link, Tenda, D-Link)
Enterprise edge routers (older Cisco ASA/Catalyst models)
IoT cameras, NVRs, and smart home devices
Printer management interfaces (often forgotten, unpatched)

The pattern: Devices with:

Default credentials
Known, unpatched RCE vulnerabilities (CVE-2024-57726 SimpleHelp, SOHO router flaws, etc.)
Ubiquitous internet-facing presence (millions deployed, low value individually)

Lyrie Assessment

Why CISOs Need Machine-Speed Detection Now

This advisory represents a structural shift in attack economics. The APT groups have outsourced their hardest problem—maintaining infrastructure—to specialists. They now scale horizontally (rent access to 200k+ devices) rather than vertically (build 5-10 sophisticated C2 servers).

The Lyrie Verdict: This is the moment when defenders cannot out-patch the attacker supply chain. Vendors patch CVE-2024-57726, but millions of routers go unpatched. Botnets absorb the loss and recruit more devices. The equilibrium has shifted.

What autonomous detection changes:

1. Network edge behavior profiling becomes mandatory—not optional. Lyrie's approach: Machine-speed baseline of "normal" device communication patterns; any device suddenly acting as a proxy for external traffic gets flagged in <500ms, long before the exfiltration completes.

2. Botnet detection at protocol level. These routing chains have signatures: multiple hops, unusual MTU behaviors, consistent intermediate-node behavior. Lyrie can identify the pattern even if IPs rotate hourly.

3. Zero-trust for device-to-device at the network edge. VLAN isolation won't work if your router is the compromise. Requires real-time crypto-signature validation and behavioral anomaly detection.

The Attribution Blindness Problem

Defenders spent 15 years learning to attribute attacks to APT groups via infrastructure fingerprinting. This advisory confirms: that era is over. When Volt Typhoon and Flax Typhoon share the same botnet, attribution becomes guesswork. Defenders must pivot from "Who did it?" to "What is it doing?" and respond before the action completes.

Autonomous defense systems that can detect and neutralize attacks at the action level (lateral movement, credential usage, data staging) rather than the attribution level become the new perimeter.

Recommended Actions

Immediate (Next 7 Days)

1. Map all edge devices connected to your network—routers, firewalls, cameras, printers. Get serial numbers and firmware versions.

2. Audit SOHO device exposure. If your company has branch offices or remote workers, those routers are in scope. Check if they're accessible from the internet (nmap scan: tcp/22, tcp/80, tcp/443 from WAN).

3. Enable logging on all edge devices. If you can't log it, you can't detect it when it goes rogue.

Short-term (30 Days)

1. Patch all SOHO routers and IoT devices with known RCEs. Prioritize: SimpleHelp (CVE-2024-57726), Tenda routers (CVE-2026-7030, CVE-2026-7037), D-Link (CVE-2026-7067).

2. Implement network segmentation. IoT devices should NOT have direct access to your internal network. Use dedicated VLANs and firewall rules.

3. Deploy anomaly detection on your network edge. Watch for devices that suddenly originate unusual traffic volumes, connect to new destinations, or relay traffic for other devices.

Long-term (3-6 Months)

1. Replace SOHO routers with managed equipment. Enterprise-grade firewalls have better logging, patching, and threat intelligence integration.

2. Deploy zero-trust for device communication. Assume every device could be compromised. Require mutual TLS, crypto-signed commands, and behavior baselines.

3. Subscribe to threat intelligence feeds on China-nexus botnets. Know which IPs/ASNs are currently part of known covert networks. Use as a detection enrichment signal.

Sources

[1] CISA Advisory AA26-113A — https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a

[2] Barracuda Networks — Joint advisory from CISA and NCSC-UK shines a spotlight on covert botnet expansion — https://blog.barracuda.com/2026/04/29/joint-advisory-cisa-ncsc-uk-covert-botnet-expansion

[3] PRSOL:CC — UK warns of Chinese hackers using proxy networks to evade detection — https://www.prsol.cc/2026/04/30/uk-warns-of-chinese-hackers-using-proxy-networks-to-evade-detection/

[4] PC Gamer — State cybersecurity agencies warn of China-nexus covert networks on home routers — https://www.pcgamer.com/software/security/state-cybersecurity-agencies-around-the-world-are-advising-extra-care-over-home-routers-as-they-could-be-used-in-china-nexus-covert-networks/

[5] FBI — Court-Authorized Operation Disrupts Worldwide Botnet Used by People's Republic of China — https://www.justice.gov/archives/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-state

Lyrie.ai Cyber Research Division