Back

JDY Botnet Grows to 1,500 Devices for Rapid Vulnerability Mapping

Severity: High (Score: 75.5)

Sources: Feeds.4Sysops, Thenextweb, Cybersecuritynews, thehacker.news, Securityaffairs.Co

Published: 2026-06-10 · Updated: 2026-06-11

Keywords: botnet, devices, chinese, hacked, routers, china-linked, reconnaissance

Severity indicators: ot, botnet

Summary

The JDY botnet, linked to Chinese state-sponsored actors, has expanded to over 1,500 compromised small office and IoT devices, primarily in the U.S. and Brazil. This botnet scans for newly disclosed vulnerabilities within hours, feeding targeting data to state hackers. Initially part of the KV-botnet, JDY has evolved into an independent reconnaissance tool following the takedown of KV in early 2024. The botnet employs a diverse range of devices, including routers and firewalls from various manufacturers, to evade detection. Its architecture utilizes Tor nodes for command and control, enabling high-speed scanning and data collection. JDY's activities highlight a significant shift in reconnaissance tactics, focusing on infrastructure mapping rather than direct attacks. This poses a growing challenge for enterprise security teams, as many edge systems remain poorly monitored. Key Points: • JDY botnet has expanded to over 1,500 compromised devices for reconnaissance. • The botnet scans for vulnerabilities within hours of public disclosure, aiding state hackers. • JDY's architecture allows it to evade detection by blending in with legitimate traffic.

Detailed Analysis

**Impact** Over 1,500 compromised SOHO and IoT devices, primarily located in the United States and Brazil, are used by the JDY botnet to scan and map vulnerable internet-facing infrastructure. Affected sectors include enterprise networks with exposed routers, firewalls, VPNs, and cameras, with particular targeting of US military networks. The botnet supports rapid reconnaissance following public vulnerability disclosures, increasing the risk of timely exploitation and operational disruption across multiple industries. **Technical Details** JDY operates as a high-performance reconnaissance botnet linked to Chinese state-backed actors, including Volt Typhoon. It compromises diverse devices from manufacturers such as Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. The botnet uses Tor nodes for command-and-control and adapts scanning techniques based on device privileges, performing high-speed SYN scans or standard TCP/TLS probes. It collects IP addresses, port configurations, service banners, TLS certificates, and metadata shortly after vulnerability disclosures, enabling pre-exploitation targeting. The botnet evolved from the KV-botnet cluster, surviving its takedown in early 2024. **Recommended Response** Enterprises should prioritize rapid patching of edge devices, especially routers and IoT hardware, to reduce exposure to JDY’s scanning and targeting. Traditional IP-based defenses and geofencing are insufficient due to the botnet’s use of distributed, legitimate-looking residential IPs; therefore, defenders should enhance monitoring of edge device traffic patterns and deploy anomaly detection for unusual scanning activity. Blocking known command-and-control Tor nodes and implementing network segmentation for SOHO and IoT devices can limit reconnaissance scope. No specific CVEs were identified for immediate patching beyond general vulnerability management.

Source articles (10)

  • China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance — Thehackernews · 2026-06-10
    Learn how to map hidden AI tools and agents directly to human owners. Join SailPoint to unify human, machine, and AI identities. Learn how to validate automated pentesting results for accurate securit…
  • China-linked JDY botnet expands to 1,500 devices for industrial reconnaissance — Feeds.4Sysops · 2026-06-10
    The JDY botnet has expanded to over 1,500 compromised devices to conduct large-scale reconnaissance and service fingerprinting. This network primarily targets small office and office routers, firewall…
  • A Chinese state-linked botnet has grown to 1,500 hacked routers and is mapping vulnerable ... — Thenextweb · 2026-06-10
    China-linked JDY botnet grew from 650 to 1,500+ hacked SOHO devices. It scans for new vulnerabilities within hours and feeds targeting data to state hackers. A covert botnet linked to Chinese state- h…
  • JDY botnet expands, enabling rapid exploitation of disclosed vulnerabilities — Scworld · 2026-06-10
    Cybersecurity researchers at Lumen's Black Lotus Labs have identified a significant resurgence and expansion of the JDY botnet, a covert network linked to Chinese state- threat actors. This botnet, co…
  • A Chinese state-linked botnet has grown to 1,500 hacked routers and is mapping vulnerable ... — Ground.News · 2026-06-11
    A covert botnet linked to Chinese state- hackers has more than doubled in size and is now scanning for newly disclosed vulnerabilities within hours of publication. The JDY botnet comprises over 1,500…
  • JDY Botnet Evolves After KV Takedown, Targets Military Networks — Securityaffairs.Co · 2026-06-11
    JDY botnet scans SOHO/IoT devices globally to map services and targets, especially US military networks. Lumen’s Black Lotus Labs reported the resurgence of the JDY botnet, a covert reconnaissance net…
  • China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation — Cybersecuritynews · 2026-06-11
    A China-linked network of compromised routers and smart devices has grown into one of the most capable reconnaissance tools tied to a nation-state threat group. Researchers have identified a major res…
  • China — Csoonline · 2026-06-11
    A botnet made up of compromised small office and Internet of Things devices has grown into a larger reconnaissance network capable of rapidly identifying vulnerable internet-facing systems after publi…
  • Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. — thehacker.news · 2026-06-11
    Automated pentesting was sold as a comprehensive security validation. In practice, it covers only one of six surfaces, and the gap does not close with additional tuning. Join Autumn Stambaugh and Can…
  • China Linked Jdy Botnet Expands To 1500 Devices For Cyber Reconnaissance — www.itsecuritynews.info · 2026-06-11

Timeline

  • 2023-12-01 — JDY botnet first identified: JDY was initially flagged as part of the KV-botnet linked to Volt Typhoon.
  • 2024-01-01 — JDY botnet grows to 650 devices: The botnet's size increased to 650 compromised devices, indicating rapid growth.
  • 2024-04-06 — CVE-2026-35616 added to CISA KEV: CVE-2026-35616 was recognized for active exploitation, highlighting security risks.
  • 2026-04-04 — CVE-2026-35616 published: A critical vulnerability was published, increasing the urgency for organizations to patch.
  • 2026-06-10 — JDY botnet grows to 1,500 devices: The botnet's size expanded to over 1,500 devices, enhancing its reconnaissance capabilities.
  • 2026-06-11 — JDY botnet reported by multiple sources: Cybersecurity researchers confirmed the botnet's expansion and its implications for enterprise security.

CVEs

  • CVE-2026-35616

Related entities

  • Volt Typhoon (Apt Group)
  • Botnet (Attack Type)
  • Malware (Attack Type)
  • Brazil (Country)
  • China (Country)
  • United States (Country)
  • Government (Industry)
  • JDY (Malware)
  • JDY Botnet (Malware)
  • KV-botnet (Malware)
  • T1046 - Network Service Discovery (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • Araknis (Platform)
  • Draytek (Platform)
  • Linksys (Platform)
  • Mimosa Networks (Platform)
  • Tor (Platform)
  • Cisco (Company)
  • Hikvision (Company)
  • Ubiquiti (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed