China-linked JDY botnet extends targeting of US military networks

The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has greatly expanded its targeting scope and retargeting efforts.

According to Lumen’s Black Lotus Labs researchers, who have been monitoring its work, JDY maintains a strong focus on the United States, where most of its vulnerable equipment is located and where it is most concentrated in military and related networks.

The security firm notes that JDY has grown from approximately 650 active bots in January 2024 to more than 1,500 vulnerable SOHO and IoT devices today.

Although the numbers seem low, it is important to note that JDY is not an exploitation framework or a DDoS botnet that requires large sums of money to amass fire fighters, but instead is a distributed scanning and fingerprinting network that helps its operators find targets vulnerable to newly disclosed flaws.

“Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after the public vulnerability is disclosed, suggesting that the result of the reassessment is quickly used by China-nexus advanced persistent threat (APT) actors,” reads the Black Lotus Labs report.

“This focus has been recognized across the board, with the US military and related organizations being the most prominent.”

CISA has previously warned of the risk to Volt Typhoon operatives posed by unsecured SOHO routers, urging network device vendors to eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases.

The JDY botnet is designed to perform service discovery, service banner capture, TLS certificate collection, protocol fingerprinting, and error-oriented testing.

Among the vulnerable devices are those from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, for the MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures.

Threat actors are quick to target newly disclosed vulnerabilities, Lumen researchers observed JDY scans targeting CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw.

Operators control the botnet through hidden Tor services, which act as a command and control (C2) infrastructure. The open-source reverse-shell and host-management framework Platypus is also used in some cases.

The malware registers with a central “Dispatch Service” and receives scanning jobs, which it executes, compresses the results, and sends them back to C2.

The scanning module supports the following:

• TCP scanning
• SSL/TLS scanning
• UDP scanning
• ICMP test
• Banner collection
• TLS certificate harvesting
• Service fingerprinting using downloadable rule sets

The botnet client repeats the same cycle until the operator directly commands it to stop.

The TCP scan function is one of the most interesting technically, the researchers said, explaining that, if JDY has enough privileges, it performs a very fast and stealthy SYN scan.

“If the malware can open a raw socket, which typically requires root or administrative privileges, it initiates a high-speed SYN scan using custom TCP packets,” the report explains.

“These custom packages use a fixed source port of 19000, increase ports one location at a time, and process thousands of scan targets.”

As JDY botnet activity increases, organizations should ensure that routers, firewalls, and IoT devices are using the latest security updates and patches to prevent them from being recruited into surveillance networks.

Defenders should also reduce their external attack surface by disabling unnecessary administrative links exposed to the Internet, limiting remote administrative access, replacing default credentials, and monitoring unusual outgoing scanning activity from edge devices.