If your security tools are watching for suspicious IP addresses, what happens when the attacker is hiding behind someone’s home router, office camera, or smart storage device?
That is exactly what global intelligence agencies are warning about right now.
A new advisory highlighted by BleepingComputer shows that China linked threat actors are changing how they operate. Instead of launching attacks from traditional infrastructure that security teams can block, they are routing attacks through massive botnets made up of compromised consumer devices.
For business leaders, this is more than another cyber headline.
It is a warning that attackers are becoming harder to see, harder to trace, and much harder to stop with traditional detect and respond strategies.
According to the joint advisory from the United Kingdom’s National Cyber Security Centre and international partners, China linked threat groups are increasingly using covert proxy networks built from hijacked:
• Home and office routers
• Internet connected cameras
• Video recorders
• Network attached storage devices
• Other vulnerable IoT equipment
These devices are silently compromised, then used as relay points for malicious traffic.
Instead of attacking directly, threat actors bounce their traffic through thousands of infected devices, entering from one geographic location, moving through multiple compromised systems, and exiting close to the intended target.
The result?
The attack appears legitimate.
Geographic detection becomes less effective.
Traditional IP blocklists become nearly useless.
One example cited in the advisory was the Raptor Train botnet, which infected more than 260,000 devices globally and was linked to activity associated with the Chinese group Flax Typhoon.
Because many modern security tools are still built around one assumption:
You will detect malicious behavior after it starts.
That model worked when attackers used obvious malware, fixed infrastructure, and known malicious IP addresses.
Today’s attackers use:
• EDR bypass techniques
• Credential theft
• Living off the land tools
• Legitimate administrative utilities
• Security tool tampering
• Proxy chains made of compromised consumer devices
By the time detection occurs, the attacker may already have:
• Established persistence
• Harvested credentials
• Moved laterally
• Disabled logging
• Begun data exfiltration
This is exactly why governments are warning that static IP blocking is becoming less effective.
This kind of attack creates business risk far beyond IT.
A successful intrusion can create:
According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach is $4.44 million, while ransomware and extortion incidents disclosed by attackers average $5.08 million.
IBM also found that the average breach lifecycle is still 241 days from identification through containment and recovery. That is months of disruption.
Customers remember breaches long after systems are restored.
Regulators, insurers, and clients increasingly demand evidence of preventive controls.
Internal teams often spend weeks rebuilding systems, validating data, and restoring trust.
Yes.
EDR is valuable.
But EDR was never designed to prevent every attack.
It is designed to:
Detect.
Alert.
Investigate.
Respond.
The problem is that ransomware operators are moving faster than response teams.
Many attacks now move from initial compromise to encryption in hours, sometimes minutes.
If the attacker can hide behind legitimate infrastructure, abuse valid credentials, and disable telemetry, detection may come too late.
That is not an EDR failure.
It is a threat evolution problem.
Traditional security often assumes:
“If we can see it, we can stop it.”
But what if:
• The traffic looks legitimate?
• The credentials are valid?
• The tools are native to the operating system?
• The attack originates from a compromised printer halfway around the world?
• The security agent gets disabled before it alerts?
This is why detect and respond alone is no longer enough.
Forward thinking organizations are shifting toward prevention first.
That means moving from Detect and Respond to Isolation and Containment.
Instead of waiting for suspicious behavior, the endpoint enforces trust boundaries before malicious code can execute.
This approach focuses on:
• Preventing unauthorized applications from launching
• Restricting script execution
• Limiting credential abuse opportunities
• Blocking lateral movement
• Reducing blast radius
• Preventing encryption before it starts
One example is AppGuard, a proven endpoint protection solution with a 10 year track record focused on prevention through Isolation and Containment.
This is not about replacing detection.
It is about assuming detection may fail and building protection that prevents damage anyway.
Business leaders should act now.
Start with these practical steps:
• Assume detection will fail at some point
• Add prevention layers at the endpoint
• Reduce unnecessary execution freedom on user devices
• Identify unmanaged edge devices and IoT assets
• Test what happens if EDR becomes unavailable
• Review third party remote access paths
• Segment critical systems from user networks
• Require multi factor authentication for remote access
• Validate incident response plans against ransomware scenarios
• Audit aging routers, cameras, storage devices, and remote appliances
The advisory specifically warns organizations to map network edge devices and implement stronger trust controls.
Cyber threats are not becoming noisier.
They are becoming quieter.
They are hiding inside everyday devices.
They are blending into normal operations.
And they are counting on organizations to rely on detection alone.
Business owners who want to better understand how prevention first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!