China-nexus threat actors consistent with Volt Typhoon and associated ORB network operators are systematically compromising SOHO routers and IoT devices through default credentials, exposed management interfaces, and firmware backdoors to build covert proxy relay networks. No single CVE drives this campaign; it exploits persistent configuration failures. Any organization with unmanaged or consumer-grade network hardware on its perimeter, OT boundary, or in remote/branch office deployments faces elevated risk of serving as undetected relay infrastructure for espionage operations against downstream targets.