Black Lotus Labs says the JDY reconnaissance botnet has more than doubled in size and is now feeding fresh scan data to China-nexus APTs hours after new vulnerabilities go public. The fix is unglamorous but effective: patch your edge devices and stop exposing admin interfaces.
A botnet doesn't have to be big to be dangerous. JDY, a malware network tied to Chinese threat actors including the well-documented Volt Typhoon group, has grown from roughly 650 active bots in January 2024 to more than 1,500 compromised SOHO and IoT devices today. Those numbers look modest next to the million-node swarms used for DDoS attacks, and that's exactly the point. JDY isn't built to flood targets with traffic. It's built to find them.
Researchers at Black Lotus Labs, the threat intelligence arm of Lumen, have been tracking the network and report that its focus sits squarely on the United States, with U.S. military and associated entities standing out as the most prominent targets. The compromised devices are scattered across the country, quietly mapping infrastructure and reporting back what they find.
What JDY actually does
Think of JDY less as a weapon and more as a scout. The malware conducts service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and vulnerability-focused reconnaissance. The output of all that scanning is a detailed picture of which systems are exposed, what software they run, and where the soft spots are.
That picture gets handed off fast. According to the Black Lotus Labs report, the timing is what makes JDY effective. "Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors," the researchers wrote. "This targeted focus has been observed across a range of sectors, with the U.S. military and associated entities as the most prominent."
In practice, that means when a vendor announces a new flaw, JDY is already scanning for it. Lumen analysts watched the botnet begin probing for CVE-2026-35616, a FortiClient EMS vulnerability, shortly after Fortinet publicly disclosed it. The window between disclosure and exploitation is one of the most dangerous moments in any organization's security calendar, and JDY exists to shrink it from the attacker's side.
The devices getting recruited
The bots themselves are the kind of hardware most organizations forget about until something breaks. Compromised devices come from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, running on MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. These are routers, firewalls, and cameras sitting at the edge of networks, often unpatched and rarely monitored.
This pattern is familiar. CISA has previously warned about the risk Volt Typhoon poses to unprotected SOHO routers, going as far as urging network device vendors to eliminate vulnerabilities in router web management interfaces during the design and development phases rather than patching them later. The agency's secure-by-design guidance reflects a recognition that edge devices have become a reliable foothold for state-aligned operators precisely because they're treated as set-and-forget appliances.
A look under the hood
The technical design of JDY rewards a closer look. The operators run the botnet through hidden Tor services, which double as command-and-control infrastructure, keeping the network's backbone out of easy reach. In some cases the operators also lean on Platypus, an open-source reverse-shell and host-management framework, for additional control.
Each infected device registers with a central "Dispatch Service" and waits for scanning assignments. When a job arrives, the bot executes it, compresses the results, and ships them back to the C2, then loops and waits for the next assignment. It keeps repeating this cycle until the operator explicitly tells it to stop. The scanning module is versatile, supporting TCP scanning, SSL/TLS scanning, UDP scanning, ICMP probing, banner collection, TLS certificate harvesting, and service fingerprinting driven by downloadable rule sets. That last feature matters: the operators can push new fingerprinting rules without updating the malware itself, which is how the network pivots so quickly to chase fresh CVEs.
The TCP scanning function is where the engineering gets clever. Black Lotus Labs flagged it as one of the most technically interesting parts of the malware because of how it adapts to its privilege level. When JDY can open a raw socket, which usually requires root or administrative rights, it switches into a much faster and stealthier scanning mode. "If the malware can open a raw socket, which generally requires root or administrative privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets," the report explains. "These custom packets use a fixed source port of 19000, increment the destination ports one at a time, and batch-process thousands of scan targets."
Raw SYN scanning lets the malware send connection requests without completing the full TCP handshake, so it covers ground quickly and leaves a lighter footprint than a standard connect scan. The fixed source port of 19000 is an interesting tell, though, and a useful one for defenders writing detection rules.
What defenders should do
The practical advice here is unglamorous, which is usually a sign it works. Because JDY recruits edge hardware through known vulnerabilities, the single most effective countermeasure is keeping routers, firewalls, and IoT devices on current firmware. Patching closes the door the botnet walks through.
Beyond patching, shrink the attack surface that JDY scans for in the first place. Disable internet-exposed administrative interfaces that don't need to be public, restrict remote management to known addresses or a VPN, and replace default credentials on every device, including the cameras and access points that tend to escape inventory. Network teams should also watch for unusual outbound scanning activity originating from their own edge devices, since a router that suddenly starts probing the internet is a strong indicator it has been conscripted.
The broader takeaway is about timing. JDY demonstrates that reconnaissance has become an industrialized, always-on process for state-aligned actors, and the gap between a public CVE and active scanning is now measured in hours. Treating edge devices as critical infrastructure rather than disposable appliances is the only way to stay ahead of a network designed to find you the moment you fall behind.
Comments
Please log in or register to join the discussion