TL;DR
China-linked JDY botnet grew from 650 to 1,500+ hacked SOHO devices. It scans for new vulnerabilities within hours and feeds targeting data to state hackers.
A covert botnet linked to Chinese state-sponsored hackers has more than doubled in size and is now scanning for newly disclosed vulnerabilities within hours of publication. The JDY botnet comprises over 1,500 compromised small office and home office routers, firewalls, and IoT devices, according to new research from Lumen’s Black Lotus Labs. Most of the infected nodes are in the United States and Brazil.
JDY was first identified in December 2023 as a cluster within the KV-botnet, a network used by the Chinese hacking group Volt Typhoon. The FBI took down KV-botnet in early 2024. But JDY survived, adapted, and has since evolved into what Black Lotus Labs describes as an independent, high-performance reconnaissance capability.
The botnet does not attack targets directly. It scans, fingerprints, and maps exposed services at scale, then feeds the results to Chinese nation-state groups for follow-on exploitation. Black Lotus Labs calls it an “industrialised reconnaissance effort.” The data flows to central servers for ongoing intelligence gathering.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
The speed is notable. Attack chains weaponise newly disclosed vulnerabilities in edge devices to compromise routers and add them to the network. Once infected, bots carry out high-volume TCP, SSL, UDP, and ICMP probing. They capture TLS certificates and service metadata, then report back to dispatch servers. The goal is infrastructure mapping, not exploitation.
The botnet has grown from 650 devices in January 2024 to more than 1,500 today. Its device diversity has also expanded. Where it previously targeted Cisco RV320 and RV325 routers, it now compromises devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
That diversity is deliberate. By distributing scanning across a wide range of IP addresses, the operators avoid having any single IP flagged and blocked. Using compromised SOHO and IoT devices helps the traffic blend in with legitimate user activity. US-based devices also allow the operators to evade geofencing and IP reputation controls.
The architecture is layered. Operators manage infected infrastructure through Tor nodes, including both command-and-control and payload servers. The malware adapts its scanning method based on its privileges on the compromised device. Root access triggers high-speed SYN scanning with custom packets. Without root, it falls back to standard TCP and TLS connections.
“Disruption of individual nodes or clusters does not eliminate the underlying capability,” Black Lotus Labs said. “The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.” Chinese state hacking campaigns have a long track record of targeting US infrastructure, and the JDY botnet shows the reconnaissance apparatus behind them is becoming more durable, not less.
For defenders, the message is clear. Patching edge devices quickly is no longer optional. Routers and IoT hardware that have reached end-of-life are prime targets. And traditional IP-based defences are ineffective when the scanning traffic comes from thousands of legitimate-looking residential IPs across the country.
Get the TNW newsletter
Get the most important tech news in your inbox each week.