China-Linked JDY Botnet Expands, Targeting U.S. Critical Infrastructure
A resurgent botnet tied to China-backed threat actors has grown into one of the most sophisticated reconnaissance tools in operation. Dubbed JDY, the network now controls over 1,500 compromised small office/home office (SOHO) routers and IoT devices across the U.S., Europe, and Asia, doubling in size since January 2024.
Originally part of the KV-botnet operation linked to Volt Typhoon JDY was first detected in late 2023 as a covert scanning network used to gather intelligence on U.S. critical infrastructure. After U.S. authorities dismantled its companion KV cluster, JDY quietly rebuilt, expanding its reach and capabilities.
Researchers at Lumen’s Black Lotus Labs found that the botnet now targets devices from manufacturers including Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks. Its operators act with remarkable speed shifting scans to exploit newly disclosed vulnerabilities within hours of public disclosure. A recent example involved CVE-2026-35616, a Fortinet flaw, which JDY began probing almost immediately.
The botnet’s primary focus is U.S.-based networks, particularly those tied to military entities. By leveraging ordinary home and small business routers, JDY blends malicious traffic with legitimate activity, evading detection. Infected devices receive scanning tasks via Tor-hidden command-and-control (C2) servers, making attribution difficult. Scans span TCP, UDP, SSL, and ICMP protocols, with results compressed, encrypted, and sent back to a central server.
JDY’s malware, designed for MIPS and MIPSEL architectures, uses a lightweight bash dropper to infect devices, download payloads, and erase traces. Some devices are managed via Platypus, an open-source remote shell tool, with a known payload server at 149.248.3[.]38 (port 13339). The botnet’s distributed nature spreading scans across thousands of IPs helps it bypass traditional defenses like blocklists and geofencing.
Despite disruption efforts, JDY has proven resilient, adapting and expanding even after partial takedowns. Its rapid response to new vulnerabilities underscores the persistent threat posed by China-linked cyber espionage operations.
Source: https://cybersecuritynews.com/china-linked-jdy-botnet-uses-1500-soho-and-iot-devices/
Domo-Sapiens cybersecurity rating report: https://www.rankiteo.com/company/domo-sapiens
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
Linksys cybersecurity rating report: https://www.rankiteo.com/company/linksys
DrayTek Corp.--Unified Management & Firewall, VPN, Security cybersecurity rating report: https://www.rankiteo.com/company/draytek-corp---firewall-vpn-security
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Mimosa cybersecurity rating report: https://www.rankiteo.com/company/mimosanetworks
Hikvision cybersecurity rating report: https://www.rankiteo.com/company/hikvision
Ubiquiti Inc cybersecurity rating report: https://www.rankiteo.com/company/ubiquiti-inc
"id": "DOMCISLINDRAFORMIMHIKUBI1781173672",
"linkid": "domo-sapiens, cisco, linksys, draytek-corp---firewall-vpn-security, fortinet, mimosanetworks, hikvision, ubiquiti-inc",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"
{'affected_entities': [{'industry': 'Defense, Critical Infrastructure',
'location': 'United States',
'name': 'U.S. critical infrastructure (military '
'entities)',
'type': 'Government/Military'},
{'industry': 'Technology, Telecommunications',
'location': ['United States', 'Europe', 'Asia'],
'name': 'SOHO router and IoT device owners',
'type': 'Businesses, Individuals'}],
'attack_vector': 'Exploitation of vulnerabilities in SOHO routers and IoT '
'devices, Tor-hidden command-and-control servers',
'data_breach': {'data_encryption': 'Yes (payloads encrypted)',
'data_exfiltration': 'Yes (compressed and encrypted data sent '
'to C2 servers)',
'sensitivity_of_data': 'High (military and critical '
'infrastructure-related)',
'type_of_data_compromised': 'Network intelligence, '
'reconnaissance data'},
'date_detected': '2023-11',
'description': 'A resurgent botnet tied to China-backed threat actors, dubbed '
'JDY, has grown into one of the most sophisticated '
'reconnaissance tools in operation. The network now controls '
'over 1,500 compromised small office/home office (SOHO) '
'routers and IoT devices across the U.S., Europe, and Asia, '
'doubling in size since January 2024. Originally part of the '
'KV-botnet operation linked to Volt Typhoon, JDY was first '
'detected in late 2023 as a covert scanning network used to '
'gather intelligence on U.S. critical infrastructure. After '
'U.S. authorities dismantled its companion KV cluster, JDY '
'quietly rebuilt, expanding its reach and capabilities. The '
'botnet targets devices from manufacturers including Cisco, '
'Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa '
'Networks, and exploits newly disclosed vulnerabilities within '
'hours of public disclosure. Its primary focus is U.S.-based '
'networks, particularly those tied to military entities, '
'blending malicious traffic with legitimate activity to evade '
'detection.',
'impact': {'data_compromised': 'Reconnaissance data, network intelligence',
'operational_impact': 'Potential disruption of critical '
'infrastructure networks',
'systems_affected': '1,500+ SOHO routers and IoT devices'},
'initial_access_broker': {'backdoors_established': 'Yes (Platypus remote '
'shell tool, Tor-hidden C2 '
'servers)',
'entry_point': 'Exploitation of vulnerabilities in '
'SOHO routers and IoT devices',
'high_value_targets': 'U.S. military and critical '
'infrastructure networks'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The resilience of botnets like JDY highlights the need '
'for rapid patching of vulnerabilities, enhanced '
'monitoring of SOHO devices, and improved attribution '
'techniques for Tor-hidden C2 servers.',
'motivation': 'Cyber espionage, intelligence gathering on U.S. critical '
'infrastructure',
'post_incident_analysis': {'corrective_actions': ['Disruption efforts by U.S. '
'authorities and '
'cybersecurity firms',
'Partial takedowns of '
'botnet infrastructure'],
'root_causes': ['Unpatched vulnerabilities in SOHO '
'and IoT devices',
'Use of Tor-hidden C2 servers to '
'evade detection',
'Rapid exploitation of newly '
'disclosed vulnerabilities',
'Distributed scanning across '
'thousands of IPs to bypass '
'defenses']},
'recommendations': ['Immediate patching of newly disclosed vulnerabilities in '
'SOHO and IoT devices',
'Enhanced network monitoring to detect anomalous scanning '
'activity',
'Implementation of behavioral-based detection systems to '
'identify botnet traffic',
'Collaboration with cybersecurity firms to track and '
'disrupt botnet operations',
'Improved segmentation of critical infrastructure '
'networks from SOHO devices'],
'references': [{'source': 'Lumen’s Black Lotus Labs'}],
'response': {'third_party_assistance': 'Lumen’s Black Lotus Labs'},
'threat_actor': 'China-backed (Volt Typhoon-linked)',
'title': 'China-Linked JDY Botnet Expands, Targeting U.S. Critical '
'Infrastructure',
'type': 'Botnet, Cyber Espionage',
'vulnerability_exploited': ['CVE-2026-35616 (Fortinet flaw)',
'Newly disclosed vulnerabilities']}