# China-Backed Hackers Are Industrializing Botnets for Low-Cost, Deniable Attacks


State-sponsored threat actors from China have adopted a new operational paradigm that transforms compromised device networks into persistent, scalable attack infrastructure. Rather than conducting isolated intrusions or deploying expensive custom malware, Chinese threat groups are now systematizing the use of botnets—networks of compromised computers and IoT devices—as a cost-effective, low-attribution method for conducting espionage, sabotage, and disruption campaigns against government agencies, critical infrastructure, and private sector targets worldwide.


This shift represents a significant evolution in adversary tactics, moving away from high-profile, technically sophisticated attacks toward an industrial-scale approach that distributes risk, minimizes detection, and creates plausible deniability through the use of seemingly random compromised machines as attack vectors.


## The Botnet Industrialization Strategy


China's intelligence agencies and state-sponsored hacking groups have long maintained advanced persistent threat (APT) capabilities. However, security researchers tracking these actors have documented a notable shift in recent years toward leveraging existing botnet infrastructure rather than exclusively building custom networks for each operation.


This approach offers distinct advantages:


| Advantage | Description |

|-----------|-------------|

| Cost Efficiency | Reuses existing compromised infrastructure rather than deploying targeted malware |

| Scalability | Can mobilize thousands of devices simultaneously across geographies |

| Deniability | Attacks originate from diverse, unrelated machines, complicating attribution |

| Persistence | Botnets remain operational for months or years after initial compromise |

| Risk Distribution | No single compromise reveals the full operation's scope or objectives |


Rather than maintaining small teams of elite operators focused on specific targets, Chinese threat actors are now adopting an industrial model analogous to cyber mercenary operations—purchasing access to existing botnet infrastructure, leasing command-and-control capacity, or deploying their own malware at scale across vulnerable devices.


## Background: The Evolution of State-Sponsored Botnets


For over a decade, cybersecurity researchers have observed Chinese state-backed groups using botnets for espionage and disruption. However, the sophistication and scale have increased markedly since 2020.


Early botnet operations typically involved:

  • Custom malware targeting specific critical infrastructure sectors
  • Relatively small networks (hundreds to low thousands of devices)
  • Manual management and deployment
  • Limited geographic distribution

    • Current industrial-scale operations now feature:

  • Automated command and control infrastructure managing tens of thousands of devices
  • Modular payload delivery allowing rapid customization for different target environments
  • Distributed ownership where the botnet operator controls only a portion of the network
  • Compartmentalized operations where different teams manage different aspects of the infrastructure
  • Supply chain relationships between botnet operators, malware developers, and end-user threat groups

    • ## Technical Architecture and Methods


    Chinese-backed botnet operations typically follow a layered infrastructure model:


    ### Infection and Propagation

    Compromised devices are often infected through:

  • Unpatched vulnerabilities in routers, modems, and IoT devices
  • Credential compromise on exposed management interfaces
  • Supply chain attacks targeting firmware during manufacture or distribution
  • Drive-by downloads from compromised websites
  • Watering hole attacks targeting industry-specific forums and portals

    • ### Command and Control

    Rather than direct connections, modern botnets employ:

  • Multi-tiered proxy networks that obscure the operator's true location
  • Decentralized communication protocols using peer-to-peer mesh networks
  • Domain generation algorithms (DGAs) that dynamically generate command server addresses
  • Blockchain-based communications in some sophisticated variants
  • Steganographic channels hiding commands in seemingly benign traffic (DNS queries, HTTP headers)

    • ### Attack Payload Delivery

    Once activated, botnets deliver:

  • Credential stealers capturing usernames and passwords from infected machines
  • Lateral movement tools enabling access to connected corporate networks
  • Packet sniffing utilities capturing network traffic for espionage
  • Distributed denial-of-service (DDoS) agents capable of overwhelming target infrastructure
  • Ransomware and wiper malware for destructive operations

    • ## Attribution and Evidence


    Security researchers from Mandiant, CrowdStrike, and Unit 42 (Palo Alto Networks) have attributed recent large-scale botnet operations to China's Ministry of State Security (MSS) and the People's Liberation Army (PLA) cyber units, primarily based on:


  • Code similarities to known Chinese state-sponsored malware families
  • Targeting patterns aligned with Chinese geopolitical and economic interests
  • Infrastructure overlap with previously identified Chinese C2 servers
  • Timing correlations with Chinese national priorities and Five-Year Plan objectives
  • Language and cultural artifacts in malware source code and operational documentation

    • However, the deliberate use of compromised third-party botnet infrastructure creates significant attribution challenges. By funneling operations through existing criminal botnets, state actors can obscure their involvement and create alternative attribution narratives.


    ## Implications for Organizations and Governments


    ### Operational Risk

    Organizations worldwide face heightened risk from botnet-based attacks:


  • Extended dwell time: Botnets persist silently for months, allowing adversaries to map networks and identify high-value targets before conducting theft or sabotage
  • Subtle reconnaissance: Rather than noisy scanning, botnets conduct patient observation of network behavior, systems, and security posture
  • Coordinated attacks: Multiple botnets can be synchronized to overwhelm defenses or execute complex multi-stage attacks simultaneously

    • ### Sector-Specific Concerns

    Critical infrastructure (power grids, water systems, transportation) faces particular risk, as botnets can conduct:

  • Pre-attack reconnaissance before kinetic operations
  • Denial-of-service attacks masquerading as internet congestion
  • Credential theft enabling insider threats

    • Healthcare, financial services, and telecommunications are similarly targeted for espionage and competitive advantage.


    ### Geopolitical Consequences

    Botnet-based attacks enable adversaries to:

  • Conduct espionage with reduced diplomatic consequences
  • Gather intelligence on emerging technologies and business strategies
  • Create strategic advantages in trade negotiations
  • Test defensive capabilities and response times before major operations

    • ## Recommendations for Defense and Response


    ### For Organizations

    1. Asset discovery: Maintain complete inventory of all connected devices, including IoT and operational technology systems

    2. Vulnerability management: Prioritize patching of internet-facing devices (routers, firewalls, VPNs)

    3. Network segmentation: Isolate critical systems from general corporate networks to contain botnet spread

    4. Behavioral monitoring: Deploy endpoint detection and response (EDR) tools to identify unusual outbound connections or command execution

    5. Credential hygiene: Enforce multi-factor authentication and rotate credentials regularly

    6. Incident response: Develop and practice procedures for detecting and remediating botnet infections


    ### For Government

    1. Intelligence sharing: Disseminate indicators of compromise (IoCs) and botnet signatures to private sector partners

    2. Sanctions and attribution: Publicly attribute botnet operations to increase costs and consequences for state-sponsored actors

    3. Technology partnerships: Collaborate with technology companies on botnet takedown operations

    4. Defensive cyber operations: Conduct authorized operations to disrupt botnet command infrastructure


    ## Conclusion


    The industrialization of botnets by Chinese state-backed actors represents a maturation of cyber warfare capabilities toward an operationally efficient, scalable model that maximizes deniability while minimizing cost. Organizations must recognize that defensive strategies designed for targeted APT campaigns are insufficient against adversaries operating through massive, distributed botnet infrastructure.


    The challenge ahead is not detecting a single sophisticated intrusion, but rather identifying and remediating infections within the noise of global internet traffic—a task requiring advanced monitoring, threat intelligence, and cross-organizational coordination.