The JDY botnet, a malware network previously linked to Chinese threat actors such as Volt Typhoon, has expanded its targeting and reconnaissance activity, with a strong focus on the United States.
Researchers at Black Lotus Labs by Lumen said they have been tracking the botnet’s growth and found that many of its compromised devices are located in the U.S. The botnet is also heavily focused on military and related networks, making its activity especially concerning for organizations that depend on exposed routers, firewalls, and IoT systems.
According to the security firm, JDY has grown from around 650 active bots in January 2024 to more than 1,500 compromised SOHO and IoT devices today. While that number may not seem large compared with traditional botnets, JDY is not built mainly for massive DDoS attacks. Instead, it works as a distributed scanning and fingerprinting network that helps its operators quickly identify vulnerable targets after new security flaws are disclosed.
Black Lotus Labs said its analysis shows JDY is being used to find vulnerable infrastructure soon after public vulnerability announcements. The company believes the collected reconnaissance data is quickly used by China-linked advanced persistent threat actors to support follow-on operations.
The botnet has been observed targeting several sectors, but researchers said the U.S. military and connected organizations stand out as the most prominent targets. CISA has previously warned that Volt Typhoon-linked actors pose a risk to unprotected SOHO routers and has urged device makers to remove weaknesses in router web management interfaces during product design and development.
JDY is designed to perform service discovery, banner grabbing, TLS certificate collection, protocol fingerprinting, and vulnerability-focused reconnaissance. The compromised devices include products from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, running on several MIPS-based architectures.
Researchers also found that JDY operators move quickly after new vulnerabilities become public. In one case, Lumen observed scans targeting CVE-2026-35616 shortly after Fortinet disclosed the FortiClient EMS vulnerability.
The botnet is controlled through hidden Tor services, which act as command-and-control infrastructure. In some cases, the attackers also use Platypus, an open-source reverse-shell and host-management framework.
Once the malware is installed on a device, it connects to a central dispatch service and receives scanning tasks. It then runs those scans, compresses the results, and sends them back to the command-and-control server. The botnet continues repeating this process until the operator tells it to stop.
JDY’s scanning module supports TCP scanning, SSL and TLS scanning, UDP scanning, ICMP probing, banner collection, TLS certificate harvesting, and service fingerprinting through downloadable rule sets.
Researchers said one of the botnet’s more notable technical features is its TCP scanning function. When the malware has enough privileges, it can perform faster and stealthier raw SYN scanning by creating custom TCP packets. These packets use a fixed source port and process large numbers of scan targets in batches.
As JDY activity continues to grow, organizations are being urged to keep routers, firewalls, and IoT devices updated with the latest security patches. Defenders should also disable unnecessary internet-facing admin panels, limit remote management access, replace default passwords, and watch for unusual outbound scanning activity from edge devices.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
JDY Botnet Expands Targeting Of US Military Networks
