A China-linked botnet known as JDY has significantly expanded its reach, now controlling over 1,500 small office/home office (SOHO) and Internet of Things (IoT) devices across the United States, Europe, and Asia. Unlike traditional botnets that launch direct attacks, JDY focuses on scanning the internet for vulnerable systems and relaying this intelligence to Chinese hacker groups.
Initially discovered in late 2023 as part of the KV-botnet operation, JDY was associated with China-backed groups like Volt Typhoon, which targeted U.S. critical infrastructure. After U.S. government efforts dismantled the KV cluster, JDY’s activity declined to around 650 active bots by January 2024. However, it has since more than doubled in size, indicating a strategic resurgence.
According to Lumen’s Black Lotus Labs, JDY now targets a broader range of devices from manufacturers such as Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks. The botnet’s operators demonstrate remarkable agility, shifting their scanning focus almost immediately after new vulnerabilities are disclosed. For instance, within hours of the public disclosure of CVE-2026-35616, researchers observed a spike in scans targeting Fortinet devices.
The primary victims of JDY are predominantly U.S.-based, with scanning activities concentrated on networks associated with U.S. military entities. By compromising ordinary home and small business routers, the botnet’s traffic blends seamlessly with normal internet activity, complicating detection efforts.
JDY operates through a sophisticated system that maintains operator anonymity while keeping bots active. Infected devices receive scanning tasks from a command-and-control server communicating via hidden Tor nodes, making it nearly impossible to trace back to the operators. The bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server.
The malware targets Linux-based systems built for MIPS and MIPSEL processor architectures, commonly found in home routers and edge network devices. A lightweight bash dropper handles the infection process: it detects the device’s processor type, downloads the corresponding payload, executes it, and deletes the file from disk. Some devices are also managed through Platypus, an open-source remote shell tool, with the payload server at 149.248.3[.]38 hosting a Platypus instance on port 13339.
By distributing scanning tasks across thousands of devices with different IP addresses, JDY effectively circumvents traditional defenses like blocklists and geofencing. This expansion underscores the persistent threat posed by state-sponsored cyber operations and highlights the critical need for robust cybersecurity measures to protect vulnerable devices.
Source: Cyber Security News
