Back

JDY Botnet Grows to 1,500 Devices for State-Sponsored Reconnaissance

Severity: High (Score: 72.6)

Sources: thehacker.news, Feeds.4Sysops, Thehackernews, Thenextweb

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: botnet, devices, chinese, hacked, routers, china-linked, reconnaissance

Severity indicators: ot, botnet

Summary

The JDY botnet, linked to Chinese state-sponsored hackers, has expanded to over 1,500 compromised small office and home office devices, including routers and IoT devices. Initially identified in December 2023 as part of the KV-botnet, JDY has evolved into an independent entity capable of rapid reconnaissance. It scans for newly disclosed vulnerabilities within hours and maps exposed services to support state hacking efforts. The majority of infected devices are located in the United States and Brazil. The botnet's architecture includes Tor nodes for command-and-control operations, allowing it to evade detection. Its growth from 650 devices in January 2024 to 1,500 today highlights its increasing capability and resilience against takedowns. The botnet's operations focus on infrastructure mapping rather than direct attacks, making it a significant threat to national security. Key Points: • JDY botnet has expanded to over 1,500 compromised devices for reconnaissance. • The botnet scans for vulnerabilities within hours of disclosure, primarily targeting routers and IoT devices. • Most infected devices are located in the US and Brazil, enhancing the botnet's evasion of detection.

Detailed Analysis

**Impact** Over 1,500 small office/home office (SOHO) routers, firewalls, and IoT devices primarily in the United States and Brazil are compromised. The botnet targets infrastructure across multiple sectors relying on these devices, increasing exposure to reconnaissance activities that enable follow-on exploitation by Chinese state-sponsored groups. The growth from 650 devices in early 2024 to over 1,500 indicates expanding operational scope and potential for widespread infrastructure mapping. No direct data exfiltration or service disruption has been reported. **Technical Details** The JDY botnet uses rapid scanning and fingerprinting of exposed services on compromised devices, including models from Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. It exploits newly disclosed vulnerabilities within hours of publication, leveraging both root and non-root access to perform high-speed SYN scans and standard TCP/TLS probing. The botnet operates through layered infrastructure managed via Tor nodes, conducting reconnaissance without direct exploitation. Indicators of compromise include high-volume TCP, SSL, UDP, and ICMP probing traffic originating from residential IP addresses. **Recommended Response** Prioritize patching and firmware updates on all edge devices, especially routers and IoT hardware that are end-of-life or unsupported. Deploy network monitoring to detect anomalous scanning behaviors such as SYN floods, SSL, UDP, and ICMP probes from internal or external IPs resembling residential traffic. Harden device configurations by disabling unnecessary services and restricting management access. Monitor for unusual outbound connections to Tor nodes and implement IP reputation controls with awareness of residential IP evasion tactics.

Source articles (4)

  • China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance — Thehackernews · 2026-06-10
    Learn how to map hidden AI tools and agents directly to human owners. Join SailPoint to unify human, machine, and AI identities. Learn how to validate automated pentesting results for accurate securit…
  • China-linked JDY botnet expands to 1,500 devices for industrial reconnaissance — Feeds.4Sysops · 2026-06-10
    The JDY botnet has expanded to over 1,500 compromised devices to conduct large-scale reconnaissance and service fingerprinting. This network primarily targets small office and office routers, firewall…
  • A Chinese state-linked botnet has grown to 1,500 hacked routers and is mapping vulnerable ... — Thenextweb · 2026-06-10
    China-linked JDY botnet grew from 650 to 1,500+ hacked SOHO devices. It scans for new vulnerabilities within hours and feeds targeting data to state hackers. A covert botnet linked to Chinese state- h…
  • Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. — thehacker.news · 2026-06-10
    Automated pentesting was sold as a comprehensive security validation. In practice, it covers only one of six surfaces, and the gap does not close with additional tuning. Join Autumn Stambaugh and Can…

Timeline

  • 2023-12-01 — JDY botnet first identified: The JDY botnet was identified as part of the KV-botnet linked to Chinese state hackers.
  • 2024-01-01 — JDY botnet grows to 650 devices: The botnet's size increased to 650 devices by early January 2024, indicating rapid growth.
  • 2024-01-05 — KV-botnet taken down by FBI: The FBI dismantled the KV-botnet, but JDY adapted and continued to operate independently.
  • 2026-06-10 — JDY botnet reaches 1,500 devices: The JDY botnet has expanded to over 1,500 devices, enhancing its reconnaissance capabilities.

Related entities

  • Volt Typhoon (Apt Group)
  • Botnet (Attack Type)
  • Brazil (Country)
  • China (Country)
  • United States (Country)
  • JDY Botnet (Malware)
  • T1046 - Network Service Discovery (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • Cisco (Company)
  • Tor (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed