Cybersecurity researchers have identified a significant resurgence and expansion of JDY, a covert botnet linked to Chinese state-sponsored threat actors. This sophisticated network, primarily composed of compromised small office and home office (SOHO) and Internet of Things (IoT) devices, is actively being utilized for large-scale reconnaissance and targeting operations on the internet.
The JDY botnet, now comprising over 1,500 compromised devices, operates as a centrally controlled, high-performance scanner. Its primary function is to discover, fingerprint, and continuously map exposed internet services. This expansion signifies a strategic evolution in the methods employed by advanced persistent threat (APT) groups leveraging compromised infrastructure for their campaigns.
JDY Botnet’s Resurgence and Expansion
First identified in mid-December 2023 as a cluster within the KV-botnet, JDY has since detached and grown independently. The U.S. government’s successful takedown of the core KV-botnet in early 2024 prompted behavioral changes within associated networks, leading to the second KV cluster largely going offline. Security analysts suspect that the JDY botnet operators may offer its services to various hacking groups while also conducting their own reconnaissance and targeting.
Lumen’s Black Lotus Labs reported that the JDY malware has broadened its scope, infecting a wider array of devices. It now serves as a conduit for feeding “structured reconnaissance data” into a larger scanning ecosystem, facilitating follow-on target identification and exploitation. This industrialized reconnaissance aims to flag vulnerable infrastructure shortly after vulnerabilities are publicly disclosed.
Growth and Diversification of the JDY Network
The botnet’s size has surged dramatically, growing from an estimated 650 bots at the start of January 2024 to over 1,500 compromised devices. The majority of these compromised nodes are located in the United States and Brazil, with significant presence also noted in Europe and Asia. This geographical distribution presents a significant challenge for detection and mitigation efforts.
Previously, the JDY cluster was predominantly composed of Cisco RV320 and RV325 routers. However, its current makeup is far more diverse, now including devices from brands such as Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. This diversification makes it more difficult to attribute malicious activity to specific vendor vulnerabilities or device types.
The large number of U.S.-based SOHO/IoT devices within the botnet allows operators to evade common defenses and traditional IP-based controls. These include geofencing, IP reputation-based detection, and static blocklists, according to Black Lotus Labs. By distributing scanning and reconnaissance activities across a wide range of IP addresses, the operators reduce the likelihood of any single IP being flagged as a scanner and subsequently blocked.
Furthermore, the use of compromised SOHO and IoT devices helps this malicious activity blend in with legitimate user traffic. This makes it considerably harder for network administrators to distinguish between normal network behavior and botnet operations, a common tactic in modern cyber-espionage campaigns.
Operational Modus Operandi and Capabilities
The JDY botnet operates on a layered architecture, with operators utilizing Tor nodes to manage infected infrastructure, including both command-and-control (C2) and payload servers. The C2 servers direct bots to perform targeted reconnaissance and system profiling, shifting away from indiscriminate scanning. The results of these scans are then sent to central servers for ongoing intelligence gathering, contributing to the broader objectives of Chinese nation-state actors.
Attack chains typically weaponize newly disclosed vulnerabilities in edge devices, such as CVE-2026-35616, to deliver a shell script dropper. This dropper first checks for the presence of existing malware and, if absent, proceeds to download the primary payload, tailored to the detected processor architecture (e.g., mips, mips64, mipsel, or mipsel64). Upon successful launch, the malware is designed to remove itself from the disk, leaving minimal forensic evidence.
The core malware facilitates scanning and target reconnaissance by fingerprinting the host system. It then receives scanning tasks from a central C2 server and executes high-volume probing across various protocols, including TCP, SSL, UDP, and ICMP. The malware captures responses, such as TLS certificates and metadata, and reports these findings back to the dispatch server. The primary goal of this activity is infrastructure reconnaissance, rather than direct exploitation.
A notable capability of the JDY malware is its adaptive scanning methodology, which depends on its privilege level on the local system. If the malware has root privileges and can open a raw socket, it initiates high-speed SYN scanning using custom-crafted TCP packets. If raw sockets are unavailable, or if the task involves web scanning, the engine switches to standard TCP and TLS connections, or employs protocols like UDP and ICMP.
This comprehensive data collection and reconnaissance activity likely informs asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems. The JDY botnet demonstrates how IoT/SOHO botnets and covert networks of compromised devices are being repurposed for rapid vulnerability exploitation. Its growth and continued operation highlight the persistence and adaptability of modern reconnaissance networks, even after takedowns, within broader adversary ecosystems.
The evolution of JDY from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability underscores that disrupting individual nodes or clusters does not eliminate the underlying threat capability. Instead, the capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosures. Organizations should remain vigilant and ensure their edge devices and networks are patched against known vulnerabilities, as the threat landscape continues to evolve.