China-Nexus APT Activity Has Moved Off the Network Edge

Threat Intelligence

China-linked APT groups have largely shifted from exploiting network appliances to abusing edge devices and cloud identity. The detection model that worked in 2022 misses most of the activity in 2026.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 8, 2024 · 8 min read

In 2021 and 2022, the China-nexus APT story was about firewall and VPN appliance zero-days. Pulse Secure, Fortinet FortiOS, Citrix NetScaler, Sophos, Ivanti Connect Secure. APT41, APT5, Volt Typhoon and adjacent clusters were burning through edge appliance vulns at a remarkable rate. Defenders responded by hardening those devices, enabling logging, and getting EDR-equivalent visibility on management interfaces.

The activity has moved. Through 2025 and into 2026, the dominant pattern in China-nexus intrusions we have responded to involves home and small office routers compromised as ORB (Operational Relay Box) infrastructure, edge devices like SOHO routers and IP cameras inside target environments, and cloud identity abuse via OAuth tokens, federated SAML, and stolen Entra ID refresh tokens. The network appliance era is not over, but it is no longer where the leverage is.

ORB networks and the upstream problem

Volt Typhoon's KV-Botnet disclosure was a watershed. The model: compromise tens of thousands of end-of-life SOHO routers worldwide, stitch them into rotating proxy networks, and use them as the last hop before touching a target. From the target's perspective, the inbound connection comes from a Comcast or Spectrum residential IP in their own country, often in their employees' geography. Geofencing fails. ASN reputation fails. The connection looks like a remote employee.

This is the upstream half of living-off-the-land. The downstream half, once inside, has also matured. PowerShell logging is enabled almost everywhere now, so APT operators have shifted to LOLBins like esentutl.exe for Active Directory database extraction, ntdsutil through legitimate admin tooling, WMI for lateral movement, and increasingly to dual-use commercial tools like AnyDesk, Atera, or ScreenConnect that the org's own admins also use.

Cloud identity is the new lateral movement

Three of the last six China-nexus incidents we worked involved no traditional malware on user endpoints at all. The pattern: phishing or infostealer-derived session token, refresh token persistence in Entra ID, OAuth app consent for a benign-sounding app that grants Mail.Read and Files.Read.All across the tenant, then 30 to 90 days of patient mailbox and SharePoint reconnaissance before any noisy action.

• Targets are increasingly executives, M&A teams, legal counsel, and government affairs, not IT or finance.
• Persistence is via OAuth grants and service principals, not endpoint malware.
• Detection needs to live in identity logs (sign-in, audit, OAuth consent) more than in EDR.
• Hunting questions: which OAuth apps in your tenant have Mail.Read or Files.Read.All? Who consented? When? From what IP?

What defense actually looks like in 2026

The 2022 detection stack was firewall logs, EDR, and a SIEM correlation rule for known C2. The 2026 stack adds three things.

1. Identity behavior analytics: anomalous OAuth consent, unusual refresh token redemption patterns, geographically impossible sign-ins after accounting for residential proxy abuse.
2. Edge device telemetry: NetFlow or sFlow at egress, plus inventory and firmware monitoring on every internet-facing device including the ones IT does not formally own.
3. Mailbox and collaboration auditing: who is reading what, from where, at what cadence. The China-nexus operators we have responded to are reading mail for weeks, not exfiltrating it.

What this means for threat intel teams

The IOC model is increasingly poor for this activity. Hashes do not exist when there is no malware. C2 IPs do not help when the infrastructure is residential routers in the target's own country. Domain reputation does not help when the operator is using compromised legitimate sites as redirectors.

What does work: behavioral signatures, identity anomaly baselines, and tradecraft-level threat profiles. The China-nexus clusters have distinctive patterns in how they structure OAuth abuse, how they pace mailbox reconnaissance, and how they exit. Threat intel programs that index on those patterns are catching activity that IOC-driven programs are missing.

If your defense is still tuned for the 2022 picture, you are looking in the wrong direction. The activity has moved. Your detection should follow it.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.