- The JDY botnet, used by Chinese state-sponsored hacking groups like Volt Typhoon, has rapidly expanded to over 1,500 compromised SOHO routers and IoT devices.
- Its operators have diversified their targets to include devices from Ubiquiti, Hikvision, Linksys, and others, primarily located in the U.S. and Brazil.
- The network functions as a centralized, high-performance scanner for targeted reconnaissance, feeding data into a larger ecosystem for exploitation shortly after vulnerabilities are disclosed.
Cybersecurity researchers at Lumen’s Black Lotus Labs have documented a resurgence and expansion of the JDY botnet, a covert network linked to China-nexus state-sponsored actors. The findings, detailed in a report shared with The Hacker News, show its growth from 650 bots in January 2024 to more than 1,500 compromised devices today. This industrialized reconnaissance effort enables Chinese nation-state groups to rapidly identify vulnerable infrastructure following public disclosures.
Initially flagged within the KV-botnet cluster in late 2023, JDY evolved into an independent capability after the U.S. government’s takedown of KV-botnet in early 2024. Consequently, the botnet now serves as a conduit for feeding structured reconnaissance data into a larger scanning ecosystem. The malware’s architecture uses Tor nodes to manage command-and-control servers, which direct bots to perform targeted system profiling and scanning.
Moreover, the malware’s scanning methodology adapts based on its local privileges, using high-speed SYN scanning when root access is available. This activity informs downstream exploitation systems, highlighting how modern reconnaissance networks persist and adapt. As Black Lotus Labs stated, “JDY demonstrates how IoT/SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
