Introduction to the JDY Botnet
The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts. According to researchers at Black Lotus Labs by Lumen, who have been monitoring its activity, JDY maintains a strong focus on the United States, where many of its compromised devices are located and where it heavily targets military and associated networks.
Expansion and Growth
The security firm notes that JDY has grown from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today. While the numbers seem low, it's essential to note that JDY isn't an exploitation framework or a DDoS botnet that requires large swarms to accumulate firepower, but is instead a distributed scanning and fingerprinting network that helps its operators locate targets vulnerable to newly disclosed flaws.
Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors, reads the Black Lotus Labs report. This targeted focus has been observed across a range of sectors, with the U.S. military and associated entities as the most prominent.
Compromised Devices and Vulnerabilities
Among the compromised devices are those from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, for MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. The threat actors are quick to target newly disclosed vulnerabilities, with Lumen researchers observing JDY scans targeting CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw.
Command and Control Infrastructure
The operators control the botnet through hidden Tor services, which also serve as command-and-control (C2) infrastructure. The open-source reverse-shell and host-management framework Platypus is also used in some cases. JDY network overview shows that the malware registers with a central "Dispatch Service" and receives scanning assignments, which it executes, compresses the results, and sends them back to the C2.
Scanning Module and Techniques
The scanning module supports the following: TCP scanning, SSL/TLS scanning, UDP scanning, ICMP probing, Banner collection, TLS certificate harvesting, and Service fingerprinting using downloadable rule sets. The botnet client repeats the same cycle until the operator specifically orders it to stop. The TCP scanning function is one of the most technically interesting, say the researchers, explaining that, when JDY has sufficient privileges, it performs much faster and stealthier raw SYN scanning.
If the malware can open a raw socket, which generally requires root or administrative privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets, explains the report. These custom packets use a fixed source port of 19000, increment the destination ports one at a time, and batch-process thousands of scan targets.
Recommendations and Mitigations
As JDY botnet activity increases, organizations should ensure routers, firewalls, and IoT devices are running the latest security updates and patches to prevent them from being recruited into reconnaissance networks. Defenders should also reduce their external attack surface by disabling unnecessary internet-exposed administrative interfaces, restricting remote management access, replacing default credentials, and monitoring for unusual outbound scanning activity originating from edge devices.
Source: BleepingComputer