{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/china-nexus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["China-nexus cyber actors"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SOHO Routers","IoT Devices","Web Cameras","Video Recorders","Firewalls","Network Attached Storage (NAS) Devices"],"_cs_severities":["high"],"_cs_tags":["covert-network","botnet","china-nexus","compromised-devices"],"_cs_type":"threat","_cs_vendors":["Cisco","Netgear"],"content_html":"\u003cp\u003eA joint advisory highlights a significant shift in tactics employed by China-nexus cyber actors. They are moving away from using individually procured infrastructure and instead leveraging large-scale, externally provisioned networks of compromised devices. These \u0026ldquo;covert networks\u0026rdquo; primarily consist of Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices, but can include any vulnerable device that can be exploited at scale. These networks are used for various purposes, including disguising the origin of malicious activity, scanning networks, delivering malware, communicating with compromised systems, exfiltrating stolen data, and conducting general deniable internet browsing to research new TTPs and victim profiles. These networks are constantly updated and could be used by multiple actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: China-nexus actors exploit vulnerabilities in SOHO routers, IoT devices (web cameras, video recorders), firewalls, and NAS devices.\u003c/li\u003e\n\u003cli\u003eBotnet Establishment: Compromised devices are incorporated into a covert network (botnet), often controlled by Chinese information security companies.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The actors use the botnet to scan target networks, gathering information about potential vulnerabilities and attack surfaces.\u003c/li\u003e\n\u003cli\u003eExploitation: Leveraging the compromised network to mask their origin, the actors exploit identified vulnerabilities in target systems.\u003c/li\u003e\n\u003cli\u003eMalware Delivery: The covert network is used to deliver malware payloads to compromised systems within the target network.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The actors establish command and control (C2) channels through the compromised network to remotely control the malware and maintain access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Sensitive data is exfiltrated from the compromised network through the covert network, making attribution difficult.\u003c/li\u003e\n\u003cli\u003ePersistence: The actors maintain persistence on compromised systems to ensure continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised networks can lead to the exposure of sensitive data, disruption of critical services, and financial losses. The use of covert networks makes attribution difficult, allowing attackers to operate with impunity. The advisory notes that Volt Typhoon has used these techniques to pre-position on critical national infrastructure. The widespread nature of the networks, comprising potentially hundreds of thousands of endpoints, makes traditional network defense strategies like static IP blocklists less effective. In 2024, one such network, Raptor Train, infected over 200,000 devices worldwide.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust patch management practices to keep SOHO routers, IoT devices, and other network devices up-to-date with the latest security patches (reference: Overview).\u003c/li\u003e\n\u003cli\u003eStrengthen network perimeter security by implementing intrusion detection and prevention systems (IDPS) to identify and block malicious traffic originating from suspicious or known compromised IP addresses (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns and anomalies that may indicate the presence of a compromised device or covert network activity (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Outbound Connection to Known SOHO Devices\u0026rdquo; to identify potential compromised devices on your network (reference: rules).\u003c/li\u003e\n\u003cli\u003eSegment networks to limit the potential impact of a compromised device or network segment (reference: Protective Advice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T11:22:42Z","date_published":"2026-04-23T11:22:42Z","id":"/briefs/2026-04-china-nexus-covert-networks/","summary":"China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.","title":"China-Nexus Cyber Actors Using Covert Networks of Compromised Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/"},{"_cs_actors":["China-nexus actor"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["google-calendar","c2","china-nexus"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA China-nexus threat actor has been observed leveraging Google Calendar as a novel command and control (C2) mechanism. This campaign, observed starting in 2025, uses calendar entries to relay commands to compromised hosts. The use of Google Calendar allows the attacker to blend in with legitimate network traffic, evade traditional C2 detection methods, and maintain persistence. The stealthy nature of this approach makes it difficult to detect and attribute. This technique is particularly concerning because it leverages a common and trusted service, making it harder to differentiate between legitimate and malicious activity. The scope of targeting is currently unknown, but the use of advanced C2 infrastructure suggests a sophisticated and potentially widespread campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise occurs through an unknown vector, potentially exploiting vulnerabilities or using social engineering.\u003c/li\u003e\n\u003cli\u003eA lightweight agent is installed on the target system. This agent is responsible for interacting with the Google Calendar API.\u003c/li\u003e\n\u003cli\u003eThe agent authenticates to a pre-configured Google account controlled by the attacker using stolen or pre-configured credentials.\u003c/li\u003e\n\u003cli\u003eThe agent periodically polls the Google Calendar API for new calendar events.\u003c/li\u003e\n\u003cli\u003eThe attacker creates calendar events containing base64-encoded commands.\u003c/li\u003e\n\u003cli\u003eThe agent retrieves the calendar event, decodes the command, and executes it on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe agent transmits the results of the executed command back to the attacker, potentially through another Google service or a separate channel.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions, such as lateral movement, data exfiltration, or deployment of additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems could be leveraged for a variety of malicious activities, including data theft, espionage, and disruption of services. The use of Google Calendar as a C2 channel makes attribution challenging and allows the attacker to maintain a persistent presence on the compromised network. Successful attacks could lead to significant financial losses, reputational damage, and loss of sensitive information. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor API calls to \u003ccode\u003egoogleapis.com\u003c/code\u003e for unusual patterns or unauthorized access attempts, specifically looking for calendar event modifications from unusual user agents (reference: Attack Chain step 4).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect processes making modifications to Google Calendar.\u003c/li\u003e\n\u003cli\u003eEnable and review Google Workspace audit logs for suspicious calendar activity, including event creation and modification from unexpected locations or accounts (reference: Attack Chain step 5).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T00:00:00Z","date_published":"2026-03-21T00:00:00Z","id":"/briefs/2026-03-calendar-c2/","summary":"A China-nexus threat actor is utilizing Google Calendar as a command and control (C2) infrastructure to conduct stealthy operations.","title":"China-Nexus Campaign Using Google Calendar as C2","url":"https://feed.craftedsignal.io/briefs/2026-03-calendar-c2/"}],"language":"en","title":"CraftedSignal Threat Feed — China-Nexus","version":"https://jsonfeed.org/version/1.1"}