Comment by NitpickLawyer

These aren't botnets in the traditional sense. These operations need a US-based laptop (they receive it by mail, from the "target" corporation upon employment) and they also need the mini-kvm device to be plugged in. Then the remote agents connect via that kvm, to make detection harder. To an enterprise IDS/IPS the laptop seems connected from a residential, US IP address (expected).

They've already arrested some people involved in this, they have devices as evidence. It's pretty well documented at this point.