Lumen's Black Lotus Labs is tracking a resurgence of JDY, a covert scanning network tied to Chinese state-sponsored actors that has more than doubled in size and now fingerprints exposed services within hours of a vulnerability disclosure. Here is how it works and what defenders can do about edge-device botnets that survive takedowns.
A botnet that most defenders assumed was dead is back, bigger, and more focused than before. Researchers at Lumen's Black Lotus Labs have published a report describing what they call a "resurgence and expansion" of JDY, a covert network of compromised routers and IoT gear linked to China-nexus threat actors. The cluster now spans more than 1,500 small office, home office, and IoT devices, and it exists for one purpose: to find, fingerprint, and continuously map exposed services across the internet at scale.
That is a meaningful jump. JDY counted roughly 650 bots at the start of January 2024. The fact that it survived a U.S. government takedown of its parent botnet and then grew tells you something uncomfortable about how this class of threat actually behaves.
From a KV-botnet sidecar to a standalone scanner
JDY did not start as its own thing. It was first flagged in mid-December 2023 as a cluster inside the KV-botnet, the network of hacked SOHO routers, firewalls, and IoT devices that Chinese groups including Volt Typhoon leaned on for stealthy operations. When the U.S. disrupted KV-botnet in early 2024, the operators did what capable operators do. They adapted. The second KV cluster largely went quiet, and JDY kept going.
Black Lotus Labs assesses that the operators offer the network to multiple Chinese hacking outfits while also running reconnaissance for themselves. "JDY's evolution from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability," the company wrote. "The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure."
That last phrase is the part worth sitting with. This is not opportunistic spray-and-pray scanning. It is a reconnaissance pipeline tuned to react to public disclosures.
Why compromised home routers make such good infrastructure
The strategic value of JDY comes from where the bots live. Most of the infected nodes sit in the U.S. and Brazil, followed by Europe and Asia, and that geographic spread is the whole point.
"The botnet's large number of U.S.-based SOHO/IoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists," Black Lotus Labs explained. "By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked. Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic."
Think about what your detection logic does when it sees probes arriving from a residential Comcast IP in Ohio versus a cloud range in a hostile jurisdiction. The residential address looks like a customer. That is exactly the camouflage these operators are buying.
The device mix has also broadened. Earlier the cluster was mostly Cisco RV320 and RV325 routers. Today it includes hardware from Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys. If you run any of these at a branch office, a home lab, or in a small business deployment, you are in the target population for both infection and the scanning that follows.
How the malware operates
The architecture is layered and deliberately hard to trace. Operators manage their infrastructure, including command-and-control and payload servers, through Tor nodes. The C2 servers do not tell bots to scan the whole internet. They hand out targeted reconnaissance and system-profiling tasks, and the results flow back to central servers for ongoing intelligence collection.
Infection follows a familiar edge-device pattern. The actors weaponize newly disclosed vulnerabilities in edge gear (CVE-2026-35616 is one cited example) to drop a shell script. That dropper checks whether the malware is already running, and if not, it pulls down the main payload matched to the device's processor architecture, covering MIPS variants like mips, mips64, mipsel, and mipsel64. Once the payload launches, it deletes itself from disk to reduce forensic traces.
From there the malware fingerprints its host, receives scanning tasks, and runs high-volume probing across TCP, SSL, UDP, and ICMP. It captures responses like TLS certificates and service metadata, then reports back to a dispatch server. The objective is reconnaissance, not exploitation on the box itself.
One detail stands out for defenders. The malware adapts its scanning technique to its privilege level. If it can open a raw socket, which signals root access, it fires off high-speed SYN scanning with custom-crafted TCP packets. If raw sockets are not available, or the assignment is a web scan, it falls back to standard TCP and TLS connections or uses UDP and ICMP. This is engineering built for coverage and speed rather than a single clever trick.
The broader pattern: recon as a durable capability
JDY fits a trend that has defined the past two years of edge-device security. Reconnaissance is being industrialized. Black Lotus Labs frames the scan output as feeding "asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems." In plain terms, JDY is the sensor layer of a much larger machine that turns a fresh CVE into a list of exploitable hosts faster than most organizations can patch.
We have seen the supporting cast of this story all week. Autonomous tooling is now finding RCE flaws in Redis and zero-days in projects like FFmpeg, which means the supply of fresh, weaponizable bugs keeps climbing. A botnet purpose-built to map who is exposed to those bugs, within hours, closes the loop between disclosure and attack. The takedown-and-resurgence cycle JDY went through shows that knocking out infrastructure buys time, not a permanent win.
Practical takeaways
The uncomfortable truth is that you cannot block your way out of a botnet that hides inside residential and small-business IP space. IP reputation and geofencing will not catch traffic that looks like your neighbor's router. So the defensive work shifts toward the devices themselves and toward behavioral detection.
For anyone running the affected hardware classes, a few concrete steps matter:
- Patch edge devices on the same urgency timeline as your servers. JDY infects through recently disclosed vulnerabilities in routers, firewalls, and cameras. The window between disclosure and scanning is now measured in hours, so a 30-day patch cycle for network gear is effectively an open door.
- Reboot and audit SOHO devices, and replace end-of-life models. Much of this malware lives in memory and deletes itself from disk. A reboot can clear an active infection, though it will not stop reinfection if the underlying flaw remains. Devices past their support window will never get the fix and should be retired.
- Disable unnecessary remote management and WAN-facing admin interfaces. The exposed services JDY fingerprints are the same ones that should not be reachable from the internet in the first place.
- Watch for the behavior, not just the source IP. High-volume SYN scanning, unusual TLS certificate harvesting, and outbound connections to Tor infrastructure from an edge device are stronger signals than where a packet claims to originate.
- Segment IoT and SOHO gear away from anything sensitive. If a camera or branch router is compromised, network segmentation limits what the reconnaissance can reach internally.
The story of JDY is not really about one botnet. It is about how cheap, exposed, and rarely patched edge devices have become permanent infrastructure for state-aligned operators. The hardware in question is sitting in homes and small offices that have no security team, and that is precisely why it keeps working. Organizations that treat their routers and cameras as fire-and-forget appliances are volunteering to be part of the next reconnaissance network. Treating that gear as the attack surface it actually is remains the most reliable defense available.
Comments
Please log in or register to join the discussion