Cybersecurity researchers warn of its “resurgence and expansion” JDYChina-Nexus A covert network linked to state-sponsored threat actors.
“JDY botnet contains more than 1,500 SOHO [small office and home office] and IoT devices and serve as a centrally controlled, high-performance scanner that is used to discover, fingerprint, and continuously map exposed services at scale,” Lumen’s Black Lotus Labs said in a report shared with The Hacker News.
JDY was first identified as a cluster within another botnet codenamed KV-botnet in mid-December 2023. Primarily used for widespread scanning against Internet targets, covert networks consisting of compromised SOHO routers, firewalls, and IoT devices have been put to use by Chinese hacking groups like Volt Typhoon.
After the KV-botnet was taken down by the US government in early 2024, as botnet operators began making behavioral changes to the network, the second KV cluster went largely offline. It is suspected that the botnets are offered by the operators to various hacking organizations while they themselves perform the reconnaissance and targeting.
The latest findings from Black Lotus Labs show that the malware has expanded its scope to infect a wider range of devices and act as a medium to feed “structured reconnaissance data” into a larger scanning ecosystem for follow-on target identification and exploitation.
Specifically, the JDY cluster is being used to perform targeted scanning and service fingerprinting aimed at flagging vulnerable infrastructure following public disclosures. This points to an industrialized reconnaissance effort, the results of which are exploited by Chinese nation-state groups.
This has been complemented by the growth in the size of the botnet, which has grown from 650 bots at the beginning of January 2024 to more than 1,500 compromised devices. Most of the hacked nodes are located in the US and Brazil, followed by Europe and Asia.
While the first cluster consisted primarily of Cisco RV320 and RV325 routers, the current makeup of the botnet is much more diverse, including devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
“The botnet’s large number of US-based SOHO/IoT devices enables botnet operators to bypass security and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists,” Black Lotus Labs said.
“By distributing their scanning and reconnaissance activity across a wide range of IP addresses, operators reduce the likelihood that a single IP will be labeled as a scanner and blocked. Additionally, using compromised SOHO and IoT devices helps mix this activity with legitimate user traffic.”
The architecture powering the botnet is best described as layered: operators use Tor nodes to manage the infected infrastructure, including both command-and-control (C2) and payload servers. As opposed to indiscriminate scanning, C2 servers instruct bots to perform targeted reconnaissance and system profiling. The results of the scans are sent to a central server for ongoing intelligence gathering in an effort to further the objectives of Chinese threat actors.
The attack chain weaponizes newly disclosed vulnerabilities in edge devices (for example, CVE-2026-35616) to deliver a shell script dropper that checks if the malware is already active, and if not, proceeds to download a primary payload based on the detected processor architecture (for example, MIP, MIPS64, MIPSEL, or MIPSEL64). Once the malware is launched, it is removed from the disk.
Malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, perform high volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server. The goal is to conduct reconnaissance of the infrastructure rather than exploitation.
A notable functionality of the malware is its ability to customize its scanning method based on its privileges on the local system. If it can open a raw socket, which is indicative of root privileges, it begins high-speed SYN scanning using custom-crafted TCP packets. If raw sockets are unavailable or if the task is a web scan, the scanning engine uses standard TCP and TLS connections or employs protocols such as UDP and ICMP.
The cybersecurity company said this activity likely informs asset discovery, vulnerability-targeting pipelines, and downstream exploit or attack-orchestration systems.
“JDY demonstrates how IoT/SOHO botnets and covert networks of compromised devices are increasingly being used for vulnerability exploitation,” the company said. “JDY’s growth and continued operations demonstrate how modern reconnaissance networks persist despite takedowns and adapt as a sustainable capability within a broader adversary ecosystem.”
“The evolution of JDY from an auxiliary component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts and continues to provide timely targeting data to adversaries, often within hours of vulnerability disclosure.”
