JDY Botnet
Cybersecurity researchers have identified a significant resurgence and expansion of JDY, a covert network linked to China-aligned state-sponsored threat actors. Originally detected in December 2023 as a cluster within the larger KV-botnet infrastructure, JDY has evolved into an independent, highly effective reconnaissance platform.
The network consists of more than 1,500 compromised Small Office/Home Office (SOHO) and Internet of Things (IoT) devices. Rather than being used primarily for direct attacks, JDY functions as a centrally managed, high-performance scanning system capable of discovering, fingerprinting, and continuously mapping internet-exposed services on a large scale.
Chinese threat groups, including Volt Typhoon, have previously leveraged the network to support intelligence gathering and target identification efforts.
Table of Contents
Adaptation Following the KV-Botnet Takedown
After the U.S. government dismantled the KV-botnet in early 2024, JDY operators modified their operational behavior. While a secondary KV cluster largely disappeared, JDY continued to evolve and expand. Researchers believe the infrastructure may be shared with multiple Chinese hacking groups while also being used directly by its operators for reconnaissance activities.
Recent investigations reveal that the malware now targets a much broader range of devices and serves as a data collection layer within a larger scanning ecosystem. Structured reconnaissance information gathered by JDY is fed into systems that facilitate target selection and subsequent exploitation activities.
Particularly concerning is JDY's role in rapidly identifying vulnerable systems following public vulnerability disclosures. This behavior suggests the existence of a highly organized reconnaissance operation whose findings are later utilized by Chinese nation-state actors.
Rapid Growth and Global Expansion
The botnet has experienced substantial growth, increasing from approximately 650 infected devices in January 2024 to more than 1,500 compromised systems. Most infected nodes are located in the United States and Brazil, with additional concentrations across Europe and Asia. The growing number of Brazilian devices reflects a broader trend in which botnets increasingly rely on compromised systems in Brazil.
JDY's device ecosystem has also become considerably more diverse. While earlier versions primarily relied on Cisco RV320 and RV325 routers, the current network includes hardware from multiple vendors:
- Cisco
- Araknis
- Mimosa Networks
- Ubiquiti
- DrayTek
- Hikvision
- Linksys
This diversity strengthens the network's resilience and broadens its operational reach.
Blending Into Legitimate Internet Traffic
A significant portion of JDY's infrastructure is composed of U.S.-based SOHO and IoT devices. This distribution enables operators to bypass many traditional security controls, including geofencing restrictions, IP reputation filtering, and static blocklists.
By spreading reconnaissance activity across thousands of compromised IP addresses, the operators reduce the likelihood that any single system will be identified and blocked as a scanning source. Furthermore, the use of legitimate consumer and small-business devices allows malicious traffic to blend more naturally with ordinary internet activity, making detection significantly more difficult.
Layered Infrastructure Designed for Stealth
JDY operates through a sophisticated, layered architecture. Threat actors use Tor nodes to manage both Command-and-Control (C2) infrastructure and payload delivery servers, helping conceal operational activity.
Rather than conducting indiscriminate internet-wide scans, the C2 servers assign targeted reconnaissance and profiling tasks to infected devices. The collected intelligence is transmitted back to centralized servers, where it is aggregated and analyzed to support broader Chinese cyber operations and strategic objectives.
Exploiting Newly Disclosed Vulnerabilities
Attack chains associated with JDY frequently weaponize newly published vulnerabilities in edge devices, including vulnerabilities such as CVE-2026-35616. Successful exploitation triggers the delivery of a shell-script dropper that first checks whether the malware is already present on the target system.
If no active infection is detected, the dropper retrieves the appropriate malware payload based on the victim's processor architecture, including variants for MIPS, MIPS64, MIPSEL, and MIPSEL64 systems. Once executed, the downloaded malware removes itself from disk to reduce forensic visibility.
Advanced Reconnaissance and Adaptive Scanning Capabilities
The malware's primary purpose is intelligence gathering rather than direct exploitation. Once active, it fingerprints the compromised host, receives scanning assignments from the central command infrastructure, performs large-scale network probing, collects response data such as TLS certificates and service metadata, and reports findings back to dispatch servers.
Its scanning engine is highly adaptive and adjusts its behavior according to the privileges available on the infected device:
When root-level access is available, the malware opens raw sockets and performs high-speed SYN scanning using custom-crafted TCP packets.
When elevated privileges are unavailable, or when web-based reconnaissance is required, it relies on standard TCP and TLS connections and can also employ UDP and ICMP-based probing techniques.
This flexibility allows JDY to maximize reconnaissance effectiveness across a wide range of compromised systems.
A Persistent Reconnaissance Capability for Chinese Threat Actors
Researchers believe the intelligence gathered through JDY supports asset discovery operations, vulnerability-targeting workflows, and downstream exploitation or attack orchestration platforms.
The botnet illustrates how modern IoT and SOHO device networks are increasingly being transformed into rapid-response reconnaissance platforms capable of identifying vulnerable infrastructure shortly after security flaws become public. Its continued growth demonstrates that disrupting individual clusters or nodes does not necessarily eliminate the underlying capability.
JDY's transformation from a supporting element of the KV-botnet into an independent, high-performance reconnaissance platform highlights the persistence and adaptability of modern cyber threat ecosystems. Even after takedown efforts, the infrastructure continues to evolve, providing adversaries with actionable targeting intelligence, often within hours of a new vulnerability disclosure.
