Recent reports indicate a notable expansion of the JDY botnet, which is associated with state-sponsored threat actors from China. This covert network now encompasses more than 1,500 small office/home office (SOHO) and Internet of Things (IoT) devices, functioning as a high-performance scanner for cyber reconnaissance.
Background of JDY Botnet
The JDY botnet was initially identified as part of a larger entity known as the KV-botnet in December 2023. Following the U.S. government’s takedown of KV-botnet in early 2024, JDY adapted its operations. It is now suspected that the botnet serves not only its operators but also various hacking groups, facilitating reconnaissance and targeting efforts.
Current Operations and Capabilities
According to findings from Lumen’s Black Lotus Labs, the JDY botnet has evolved to conduct targeted scanning and service fingerprinting, particularly in response to publicly disclosed vulnerabilities. This indicates an organized effort to identify and exploit weak infrastructure. The botnet has grown from 650 devices at the beginning of January 2024 to over 1,500 devices, with a significant number located in the U.S. and Brazil, as well as in Europe and Asia.
Diverse Device Composition
Initially dominated by Cisco RV320 and RV325 routers, the JDY botnet now includes a wider variety of compromised devices, such as those from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. This diversity aids the botnet in evading traditional security measures, such as geofencing and IP reputation-based detection.
Technical Mechanisms and Vulnerabilities
The architecture of the JDY botnet is layered, utilizing Tor nodes for managing infected devices. The command-and-control (C2) servers direct the botnet’s reconnaissance activities, which include high-volume probing of TCP, SSL, UDP, and ICMP protocols. The malware exploits vulnerabilities in edge devices, notably CVE-2026-35616, to deploy a shell script that checks for existing malware before downloading its main payload.
The malware is designed to adapt its scanning techniques based on the privileges it has on the local system, enhancing its ability to conduct thorough reconnaissance. This adaptability allows it to efficiently gather intelligence on potential targets, underscoring the persistent threat posed by the JDY botnet.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
