China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
A China-linked network of compromised routers and smart devices has grown into one of the most capable reconnaissance tools tied to a nation-state threat group.
Researchers have identified a major resurgence of a botnet known as JDY, which now controls more than 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices spread across the United States, Europe, and Asia.
The botnet is designed not to attack targets directly, but to scan the internet for vulnerable systems and pass that intelligence to hacker groups tied to China.
The JDY botnet traces its origins to late 2023, when it was first uncovered as part of a larger operation called KV-botnet, a covert network used by China-backed groups, most notably Volt Typhoon, to spy on U.S. critical infrastructure.
At its lowest point in January 2024, JDY had around 650 active bots. Since then, it has more than doubled in size, quietly rebuilding after U.S. government efforts dismantled its companion network, the KV cluster.
Analysts from Lumen’s Black Lotus Labs tracked the botnet’s evolution and found it had not only grown but also become more dangerous.
According to a report shared with Cyber Security News (CSN), Lumen said the JDY botnet now targets a far wider range of devices from manufacturers including Cisco, Ubiquiti, Hikvision, Draytek, Linksys, Araknis, and Mimosa Networks.
What makes JDY particularly alarming is the speed at which it acts on new intelligence. When a vulnerability is publicly disclosed, operators shift scanning almost immediately.
Researchers observed a spike in scans targeting Fortinet devices within hours of the disclosure of CVE-2026-35616, showing that the botnet helps threat actors find vulnerable systems before defenders apply patches.
The botnet’s primary victims are overwhelmingly U.S.-based, and scanning is focused on networks associated with U.S. military entities.
Since infected devices are ordinary home and small business routers, their traffic blends in with normal internet activity, making detection harder for traditional security tools.
China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices
The JDY botnet works through a tightly organized system that keeps operators hidden while bots stay active.
Infected devices receive scanning tasks from a command-and-control server communicating via hidden Tor nodes, making it nearly impossible to trace back to operators.
Bots perform multiprotocol scans across TCP, UDP, SSL, and ICMP channels, then send compressed, encrypted results back to the central server.
The malware runs on Linux-based systems built for MIPS and MIPSEL processor architectures, the types most common in home routers and edge network devices.
A lightweight bash dropper handles infection: it detects the device’s processor type, downloads the matching payload, executes it, and deletes the file from disk.
Some devices are also managed through Platypus, an open-source remote shell tool, with the payload server at 149.248.3[.]38 hosting a Platypus instance on port 13339.
By spreading scanning across thousands of devices with different IP addresses, the botnet easily sidesteps traditional defenses like blocklists and geofencing.
Each device carries only a small share of the scanning load, so no single IP triggers enough alarms to get blocked. The network overview showing how JDY distributes scanning across residential and small enterprise IP space.
Defending Against Covert Scanning Networks
Black Lotus Labs researchers emphasize that disrupting parts of a botnet is not enough. When the KV cluster was taken down, JDY kept operating and expanded.
The capability adapts, rebuilds, and keeps feeding intelligence to threat actors, often within hours of a new vulnerability becoming public.
Security teams are advised to implement guidance from CISA and the UK National Cyber Security Centre for mitigating Volt Typhoon activity and defending against China-linked covert networks.
Organizations should also consider adopting Secure Access Service Edge solutions to shrink their internet-facing exposure. For routers, firewalls, and IoT devices, the steps are clear: reboot regularly, apply patches quickly, and stay current with updates.
Relying on IP reputation checks or static blocklists alone is no longer enough when an adversary controls thousands of legitimate-looking addresses.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 149.248.3[.]38 | JDY botnet payload server hosting Platypus remote shell on port 13339 |
| Port | 13339 | Default port used by Platypus server to download agents (Termite clients) to target endpoints |
| AES Key | 0000000000000000bdb718bdf47cbcde | Hardcoded AES decryption key used by JDY malware to decrypt C2 tasking responses |
| Malware Version | 1.8.3.9 | Hardcoded version string found in analyzed JDY malware samples |
| Process Name | auditdy | Variable process name used by JDY dropper to check for existing infections |
| File Path | /etc/ or /tmp/ | Directories where JDY payload is written before execution and then deleted |
| Architecture | mips, mips64, mipsel, mipsel64 | Target processor architectures for JDY malware payloads |
| CVE | CVE-2026-35616 | Fortinet vulnerability exploited within hours of public disclosure by JDY operators |
| Network Path | /dispatch_service/v2/probe_status | C2 endpoint used for initial check-in beacon via HTTPS POST |
| Network Path | /data/v2/pscan | C2 endpoint used to deliver compressed scan results with filename attr.json |
| ICMP Identifier | 19037 | Hardcoded ICMP packet identifier used in UDP/ICMP scanning for port 80 targets |
| Source Port | 19000 | Fixed source port used in high-speed SYN scanning mode |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news