China-Linked JDY Botnet Expands to 1,500+ SOHO and IoT Devices
7 min. read 
Published on
A China-linked botnet called JDY has grown to more than 1,500 compromised small office, home office, and IoT devices, giving state-backed threat actors a fast way to scan for exposed and vulnerable systems.
The botnet is detailed in a new Black Lotus Labs report from Lumen. Researchers said JDY now works as a centrally controlled, high-performance reconnaissance network used to discover, fingerprint, and map internet-facing services at scale.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
JDY is linked to China-nexus threat activity, including actors associated with Volt Typhoon. Its scanning has focused heavily on U.S. military and related networks, while the compromised devices themselves are spread across the United States, Europe, Asia, and other regions.
JDY Grew After the KV-Botnet Takedown
JDY was first documented as part of the wider KV-botnet ecosystem. In early 2024, the U.S. government disrupted the KV-botnet, which China-backed actors used to hide hacking activity through compromised SOHO routers.
The Justice Department said at the time that Volt Typhoon used privately owned SOHO routers infected with KV-botnet malware to conceal the origin of hacking against U.S. critical infrastructure and other targets.
Lumenโs latest findings show that JDY continued operating after the KV cluster was disrupted. At its low point in January 2024, JDY had about 650 active bots. It has since expanded to more than 1,500 active compromised devices.
| Detail | What researchers found |
|---|---|
| Botnet name | JDY |
| Tracked by | Lumen Black Lotus Labs |
| Current size | More than 1,500 compromised devices |
| Device types | SOHO routers, IoT devices, edge appliances |
| Primary role | Scanning, fingerprinting, and reconnaissance |
| Threat link | China-nexus actors, including Volt Typhoon-linked activity |
| Main target focus | U.S. military and associated networks |
The Botnet Now Uses a Wider Device Base
Earlier JDY activity centered on Cisco RV320 and RV325 routers. The latest version has diversified across a broader range of compromised devices from vendors including Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys.
This wider device base makes JDY harder to block. Traffic from hacked routers, cameras, and other edge devices can look like ordinary residential or small business traffic.
The NCSC advisory on China-nexus covert networks warns that static malicious IP blocklists become less effective when attackers can rotate through large pools of compromised consumer and edge devices.
JDY Scans for Targets After New Vulnerabilities Appear
The most important finding is speed. Black Lotus Labs saw JDY scanning activity shift after public vulnerability disclosures, suggesting operators use the botnet to identify exposed systems before defenders finish patching.
One example involved Fortinet systems. Lumen observed increased scanning of Fortinet devices shortly after disclosure of CVE-2026-35616. Separately, watchTowr reported that CVE-2026-35616 was a FortiClient EMS vulnerability that had already seen exploitation before Fortinet published its advisory.
JDY does not need to exploit every target itself to remain dangerous. Its value comes from quickly finding exposed services, gathering banners and certificates, and feeding that intelligence into a broader targeting pipeline.
How JDY Communicates and Scans
JDY uses a layered command-and-control design. Lumen said operators manage infected infrastructure through concealed Tor services, which helps hide access to both command-and-control and payload servers.
The malware receives scanning tasks from a central dispatch service. It can perform TCP, UDP, SSL, and ICMP-assisted probing, then collect banners, TLS information, service fingerprints, URLs, redirects, and other metadata.
That scan data is compressed and sent back to the operators. The Lumen analysis says this distributed design allows targeted scans to run with high throughput while keeping the load on each infected device relatively low.
| JDY capability | Purpose |
|---|---|
| TCP scanning | Finds open services and reachable ports |
| SSL and TLS probing | Collects certificate and protocol details |
| UDP probing | Checks additional exposed network services |
| ICMP-assisted scanning | Identifies responsive targets before deeper probing |
| Banner grabbing | Identifies software, versions, and service types |
| Fingerprint rules | Maps specific technologies for later triage |
The Malware Targets Router-Style Linux Systems
Lumen found that JDY samples were Linux-based scanning agents built for MIPS, MIPS64, MIPSEL, and related architectures. These processors are common in routers, firewalls, and embedded network devices.
A lightweight bash dropper checks whether the malware is already running, identifies the device architecture, downloads the matching payload, runs it, and then removes the file from disk. Some victim devices were also managed through Platypus, an open-source reverse shell and host management tool.
Known technical indicators include a payload server at 149.248.3[.]38, a Platypus service on port 13339, a malware version string of 1.8.3.9, and C2 paths including /dispatch_service/v2/probe_status and /data/v2/pscan.
Why China-Nexus Covert Networks Are Hard to Defend Against
JDY fits a wider pattern of China-linked actors using compromised routers, firewalls, NAS systems, cameras, and other edge devices as covert infrastructure.
An NSA release in April 2026 warned that multiple China-nexus threat actors use external covert networks to conduct malicious cyber activity at scale. These networks help attackers disguise attribution by routing activity through legitimate-looking devices.
The same guidance noted that compromised infrastructure often includes SOHO routers, firewalls, network-attached storage devices, web cameras, video recorders, and other smart devices. That overlaps closely with the type of equipment JDY has added to its botnet.
Defenders Should Move Beyond Static IP Blocking
JDY shows why IP reputation alone is no longer enough. A single malicious scan may come from an ordinary router in a residential range, while the next scan may come from another hacked device in a different country.
The NCSC guidance recommends mapping edge devices, baselining normal connections, using dynamic threat feeds, enforcing multi-factor authentication for remote access, and adopting stronger controls for higher-risk organizations.
For large or high-risk environments, the joint advisory also supports active hunting for covert network activity and closer tracking of compromised SOHO and IoT infrastructure.
- Map all internet-facing edge devices, VPNs, firewalls, and remote access systems.
- Patch routers, firewalls, cameras, NAS systems, and IoT devices quickly.
- Replace end-of-life devices that no longer receive security updates.
- Use dynamic threat intelligence instead of relying only on static blocklists.
- Baseline normal inbound traffic to VPN and remote access services.
- Monitor for distributed low-volume scanning from residential IP ranges.
- Use zero trust controls and strong authentication for remote access.
Router Owners Still Play a Role
JDY also shows why unmanaged routers and small office devices can become part of a national-security problem. Even if the device owner is not the final target, attackers can use the device as scanning infrastructure.
The 2024 KV-botnet disruption highlighted the problem with end-of-life routers. U.S. officials said many compromised routers were vulnerable because they no longer received manufacturer security updates.
Organizations should apply firmware updates, change default passwords, disable unnecessary remote administration, and retire unsupported equipment. Vendors and service providers should also help customers identify devices that no longer receive patches.
JDY Turns Reconnaissance Into a Faster Attack Pipeline
The JDY botnet matters because it reduces the time between vulnerability disclosure and target discovery. When a flaw becomes public, a distributed botnet can quickly scan for exposed systems across selected networks.
That gives defenders less time to patch internet-facing systems before threat actors know where to focus. In the case of CVE-2026-35616, public vulnerability details and observed scanning activity reinforced how quickly edge infrastructure can become a target.
Security teams should treat JDY and similar botnets as early-stage intrusion infrastructure. Detecting scanning, hardening the edge, and reducing exposed services may stop later compromise before it begins.
FAQ
JDY is a China-linked reconnaissance botnet made up of compromised SOHO and IoT devices. It scans and fingerprints internet-facing systems so threat actors can identify vulnerable targets quickly.
Lumen Black Lotus Labs says JDY now includes more than 1,500 compromised SOHO and IoT devices, up from about 650 active bots at its January 2024 low point.
Lumen links JDY to China-nexus threat activity, including actors associated with Volt Typhoon. JDY was originally documented as part of the wider KV-botnet ecosystem.
JDY has infected routers, edge devices, and IoT equipment from vendors including Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys.
Organizations should patch internet-facing devices quickly, replace end-of-life routers and firewalls, restrict remote access, baseline normal VPN and edge traffic, use dynamic threat intelligence, and monitor for distributed low-volume scanning from residential IP ranges.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages