China-Backed Hackers Are Industrializing Botnet Operations for Low-Attribution Attacks

Chinese state-backed threat groups are systematically building and operating covert networks of compromised routers, IoT devices, and VPS nodes to route attacks and achieve plausible deniability. By laundering activity through residential and enterprise proxies, these actors evade geoblocking, IP reputation filters, and attribution. Multiple state-backed groups are reported to share or rent this botnet infrastructure, suggesting an emerging service model within China’s offensive cyber ecosystem.

Network defenders should treat botnet-sourced traffic with the same scrutiny as direct state-actor activity, since attribution to a residential IP does not indicate a non-state actor. Monitoring for anomalous outbound connections from edge devices and hardening SOHO/router management interfaces are the most actionable mitigations.