Shadow Networks: The Evolution of Chinese TTPs and Operational Invisibility in the Gray Zone

This analysis examines the recent paradigm shift in cyber operations conducted by actors linked to the People’s Republic of China, with particular reference to the strategic use of large-scale covert networks composed of compromised devices. Evidence gathered by international security agencies, led by the UK’s National Cyber Security Centre and its global partners, paints a picture in which the distinction between civilian and military infrastructure is becoming increasingly blurred, rendering traditional defense methods partially obsolete.

The Evolution of Tactics and the Emergence of Covert Networks

In recent years, there has been a fundamental shift in the operational methods of China-linked threat groups. Previously, these actors tended to use individually acquired or leased infrastructure for their espionage operations. Today, the strategy has shifted toward creating and managing covert networks based on massive botnets. These networks consist of hundreds of thousands of vulnerable peripheral devices, such as routers for small offices and homes, security cameras, digital video recorders, and other Internet of Things devices.

The strategic advantage of this approach lies in the ability to mask the origin and attribution of attacks. By using devices located around the world, attackers can route malicious traffic through a series of legitimate nodes, making their activities appear as normal internet traffic originating from home or business users. This infrastructure model is dynamic and low-cost, allowing actors to rapidly reshape the network in response to blocking attempts, effectively rendering the static lists of banned IP addresses that many organizations still use as a primary defense ineffective.

The Operational Impact and the Phenomenon of Indicator Extermination

The use of these clandestine networks has a profound impact on the defense of national and corporate networks. China-linked actors utilize this infrastructure for every single phase of the attack process, from initial reconnaissance to the distribution of malware, through to the command and control of infected systems and the exfiltration of stolen data. A particularly critical characteristic highlighted by security agencies is the constant rotation of network nodes. Because compromised devices are continually updated or removed, and networks share nodes across different threat groups, defenders must contend with what is known as the extinction of indicators of compromise.

In practice, the technical indicators that allow an attack to be identified disappear just as quickly as they are discovered. This makes defenses based on static indicators extremely vulnerable to being circumvented. Clandestine networks are not merely tools for passive espionage; they are strategically used to maintain persistent access within critical infrastructure, allowing attackers to pre-position themselves for potential future offensive operations. Cases such as those involving the Volt Typhoon and Flax Typhoon groups confirm that the objective ranges from the theft of industrial secrets to the preparation of large-scale sabotage.

Adaptive defense strategies and new international guidelines

To counter such a fluid and complex threat, international authorities have introduced recommendations that shift the focus from state-level perimeter defense to dynamic, intelligence-driven protection. The top priority for every organization is now to thoroughly map and understand the traffic on its endpoints. Establishing a baseline for normal traffic—especially regarding VPN connections and remote access—is critical to identifying anomalies that could indicate an intrusion.

The new guidelines suggest adopting zero-trust access policies, where every connection must be verified regardless of its presumed origin. Implementing multi-factor authentication for all remote connections is no longer optional but represents a minimum security requirement. For larger organizations or those operating in sensitive sectors, it is necessary to adopt machine learning technologies for detecting behavioral anomalies and geolocating traffic, along with actively searching for threats within their systems rather than simply waiting for a predefined alarm to trigger.

Summary of information in the current context

The information in this analysis is based on official documents and security advisories published on April 23, 2026, by the UK’s National Cyber Security Centre in collaboration with international partners from nine countries. The analyzed material makes clear that the shift to clandestine networks is a strategic choice by Beijing to evade accountability and conceal its illicit activities.

Key points extracted from the documents include:

• The identification of Chinese cybersecurity firms, such as Integrity Technology Group, as the entities responsible for creating and maintaining these botnets on behalf of the state.

• The mention of specific networks such as Raptor Train, which infected over 200,000 devices in 2024, and the KV botnet used by the Volt Typhoon group.

• The nature of the compromised devices, often end-of-life devices that no longer receive security patches from manufacturers.

• The hierarchy of protection recommendations, ranging from the use of basic tools for small businesses to advanced NetFlow monitoring for large critical infrastructures.

• The global call not to rely on static defenses due to the speed at which indicators of compromise become obsolete.

In essence, the integration of this information highlights an unprecedented national and international security challenge, in which the protection of critical infrastructure requires a constant commitment to technological advancement and seamless collaboration between the public and private sectors.

Architecture and Doctrine of Chinese Cyber Capabilities

The effectiveness of operations conducted by groups such as Salt Typhoon, Volt Typhoon, and Flax Typhoon does not lie solely in the sophistication of their malicious code, but in an integrated strategic doctrine that Beijing has perfected over decades. This capability is rooted in "Liminal Warfare," a concept of "threshold manipulation" highlighted by analysts at Extrema Ratio. Through this modality, China constantly operates at the edge of observability, maintaining its activities in a subliminal zone that avoids triggering a conventional military response while achieving strategic results of total scope.

The systematic control of technological means, 5G systems, and global critical infrastructure—from ports to highways—is not merely a commercial objective, but a form of "Unrestricted Warfare," theorized as early as 1999 by Chinese colonels Qiao Liang and Wang Xiangsui. According to this vision, "trans-military" warfare blends lethal and non-lethal, civilian and criminal means into a seamless architecture. In this context, covert networks (botnets) managed by Chinese cybersecurity firms, such as the Integrity Technology Group, become dual-use tools: ostensibly civilian, yet functional for state espionage and the pre-positioning of sabotage capabilities.

Beijing's offensive capabilities manifest through surgical precision in identifying vulnerabilities in "edge" devices (routers, firewalls, VPNs) that form the perimeter of Western networks. By exploiting the software-defined nature of 5G and the obsolescence of IoT devices, Chinese actors succeed in creating stealthy tunnels (such as the GRE tunnels observed in Canada) to exfiltrate data or manipulate traffic. This integration of economic policy, intelligence, and cyber-offensives allows China to "shape the operation" against an adversary long before a single shot is fired in a potential kinetic conflict, securing an asymmetric advantage in the control of information and vital infrastructure.