Cybersecurity experts have identified a significant expansion of the JDY botnet, a covert network linked to Chinese state-sponsored threat actors. This botnet now comprises over 1,500 small office/home office (SOHO) and Internet of Things (IoT) devices, functioning as a centrally controlled, high-performance scanner designed to discover, fingerprint, and continuously map exposed services on a large scale.
Initially detected in mid-December 2023 as part of the KV-botnet, JDY was primarily utilized for extensive scanning of internet targets. The network, consisting of compromised SOHO routers, firewalls, and IoT devices, has been associated with Chinese hacking groups such as Volt Typhoon. Following the U.S. government’s dismantling of the KV-botnet in early 2024, operators of JDY adapted their tactics, leading to the second KV cluster going largely offline. It is believed that the botnet is offered to various hacking groups while also conducting its own reconnaissance and targeting activities.
Recent findings indicate that JDY has broadened its scope, infecting a wider range of devices and serving as a conduit to feed structured reconnaissance data into a larger scanning ecosystem. This expansion facilitates the identification and exploitation of targets. The botnet is now employed to perform targeted scanning and service fingerprinting, aiming to identify vulnerable infrastructure following public vulnerability disclosures. This suggests an industrialized reconnaissance effort, with the results being leveraged by Chinese nation-state groups.
The botnet’s size has grown from 650 bots in January 2024 to over 1,500 compromised devices. The majority of these hacked nodes are located in the United States and Brazil, with additional infections in Europe and Asia. Previously, the botnet primarily consisted of Cisco RV320 and RV325 routers. However, its current composition is more diverse, including devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
The extensive number of U.S.-based SOHO and IoT devices within the botnet allows operators to evade traditional defenses and IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists. By distributing scanning and reconnaissance activities across a wide range of IP addresses, the operators reduce the likelihood of any single IP being identified as a scanner and subsequently blocked. Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.
The botnet’s architecture is layered, with operators utilizing Tor nodes to manage infected infrastructure, including command-and-control (C2) and payload servers. The C2 servers direct the bots to perform targeted reconnaissance and system profiling, rather than indiscriminate scanning. Scan results are sent to central servers for ongoing intelligence gathering, furthering the objectives of Chinese threat actors.
Attack chains exploit newly disclosed vulnerabilities in edge devices, such as CVE-2026-35616, to deliver a shell script dropper. This dropper checks if the malware is already active and, if not, proceeds to download the primary payload based on the detected processor architecture (e.g., mips, mips64, mipsel, or mipsel64). Once the malware is launched, it is deleted from disk to minimize detection.
The malware facilitating scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, conduct high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (including TLS certificates and metadata), and report the results back to the dispatch server. The goal is to conduct infrastructure reconnaissance rather than exploitation.
A notable feature of the malware is its ability to adapt its scanning methodology based on its privileges on the local system. If it can open a raw socket, indicating root privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. If raw sockets are unavailable or if the task is a web scan, the scanning engine resorts to using standard TCP and TLS connections or employs protocols like UDP and ICMP.
This activity likely informs asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems. JDY demonstrates how IoT and SOHO botnets, along with covert networks of compromised devices, are being used for rapid vulnerability exploitation. Its growth and continued operation illustrate how modern reconnaissance networks persist despite takedowns and adapt as a durable capability within a broader adversary ecosystem.
JDY’s evolution from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disrupting individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.
The rapid expansion and adaptability of the JDY botnet underscore the evolving nature of cyber threats. Organizations must remain vigilant, ensuring that SOHO and IoT devices are regularly updated and secured to prevent exploitation. The use of such botnets for reconnaissance highlights the need for comprehensive network monitoring and proactive defense strategies to detect and mitigate potential threats before they escalate into full-scale attacks.
