China-linked JDY botnet expands targeting of U.S. military networks

6 hours ago 8

The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts.

According to researchers at Black Lotus Labs by Lumen, who have been monitoring its activity, JDY maintains a strong focus on the United States, where many of its compromised devices are located and where it heavily targets military and associated networks.

The security firm notes that JDY has grown from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today.

While the numbers seem low, it's important to note that JDY isn't an exploitation framework or a DDoS botnet that requires large swarms to accumulate firepower, but is instead a distributed scanning and fingerprinting network that helps its operators locate targets vulnerable to newly disclosed flaws.

"Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors," reads the Black Lotus Labs report.

"This targeted focus has been observed across a range of sectors, with the U.S. military and associated entities as the most prominent."

Most impacted countries by the JDY botnet

CISA has previously warned about the risk Volt Typhoon operatives pose to unprotected SOHO routers, urging network device vendors to eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases.

The JDY botnet is designed to conduct service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and flaw-focused reconnaissance.

Among the compromised devices are those from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, for MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures.

The threat actors are quick to target newly disclosed vulnerabilities, with Lumen researchers observing JDY scans targeting CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw.

The operators control the botnet through hidden Tor services, which also serve as command-and-control (C2) infrastructure. The open-source reverse-shell and host-management framework Platypus is also used in some cases.

The malware registers with a central "Dispatch Service" and receives scanning assignments, which it executes, compresses the results, and sends them back to the C2.

The scanning module supports the following:

TCP scanning
SSL/TLS scanning
UDP scanning
ICMP probing
Banner collection
TLS certificate harvesting
Service fingerprinting using downloadable rule sets

The botnet client repeats the same cycle until the operator specifically orders it to stop.

The TCP scanning function is one of the most technically interesting, say the researchers, explaining that, when JDY has sufficient privileges, it performs much faster and stealthier raw SYN scanning.

"If the malware can open a raw socket, which generally requires root or administrative privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets," explains the report.

"These custom packets use a fixed source port of 19000, increment the destination ports one at a time, and batch-process thousands of scan targets."

Code snippet handling the raw SYN scanning

As JDY botnet activity increases, organizations should ensure routers, firewalls, and IoT devices are running the latest security updates and patches to prevent them from being recruited into reconnaissance networks.

Defenders should also reduce their external attack surface by disabling unnecessary internet-exposed administrative interfaces, restricting remote management access, replacing default credentials, and monitoring for unusual outbound scanning activity originating from edge devices.