Pierluigi Paganini
June 11, 2026
Lumen’s Black Lotus Labs reported the resurgence of the JDY botnet, a covert reconnaissance network tied to Chinese state-sponsored hacking groups including Volt Typhoon. The network was first spotted in late 2023 as a cluster inside KV-botnet. The U.S. government took down the KV cluster in early 2024. JDY kept running.
“The JDY botnet comprises over 1,500 small office and home office (SOHO) and Internet of Things (IoT) devices. It operates as a centrally controlled, high-performance scanner used to discover, fingerprint and continuously map exposed services at scale.” reads the report published by Lumen. “The IoT-based malware affects a wider array of devices and feeds structured reconnaissance data into a larger scanning ecosystem for subsequent triage, target identification and exploitation.”
That’s more than double the roughly 650 bots recorded at JDY’s lowest point in January 2024. The device list has diversified too: where the old botnet ran almost exclusively on Cisco RV320 and RV325 routers, today’s JDY pulls in hardware from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. More manufacturers, more architectures, more coverage.
Most of the infected nodes are in the United States, with additional clusters in Brazil, Europe, and Asia. That geographic spread is deliberate.
“The botnet’s large number of U.S.-based SOHO and IoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection and static blocklists. By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked.” continues the report. “Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.”
The architecture behind JDY is layered and careful. Operators connect to infected devices through hidden Tor services that hide both the command-and-control servers and the payload servers. The C2 tells infected devices what to scan; results flow back to central servers for aggregation. Nothing stays on disk longer than necessary: the dropper downloads the payload, launches it, then deletes the binary. By the time anyone looks, there’s nothing to find.
The malware itself identifies its host, checks in to the dispatch service via HTTPS with a structured JSON packet describing the system’s OS, architecture, uptime, memory, and malware version, then waits for scanning tasks. The scanning engine adapts to what privileges it has. With root access and a raw socket, it fires SYN packets using custom-crafted TCP packets, scanning thousands of targets per batch without completing a handshake, which means no application-level logging on the target. Without raw socket access, it falls back to standard TCP and TLS connections and collects richer data: banners, SSL/TLS versions, certificate metadata, redirect paths, HTTP responses.
The malware doesn’t just scan networks in a basic way. When it receives a command from its control server, it downloads detailed rules for spotting specific services, including how they behave, what ports they use, and what their responses look like.
Each infected router is basically turned into a smart scanner that can recognize and confirm real services, not just open ports.
All the findings are then packaged into encrypted data and sent back to the attackers, including details like IP addresses, ports, protocols, TLS info, certificates, and web redirects.
What JDY does with its results makes the intent clear. Black Lotus Labs found a sharp spike in scans of Fortinet devices hours after CVE-2026-35616 was publicly disclosed on April 5, 2026. The botnet didn’t wait for a patch window. It started looking for unpatched devices the same day the flaw became public. Of all the IP addresses the JDY botnet targeted, the largest share belonged to networks operated by the U.S. military and associated entities. Not random. Not opportunistic.
JDY malware doesn’t directly attack systems. Instead, it collects detailed information about infrastructure to map potential targets. This data is then likely used by other tools to plan exploits, discover vulnerabilities, and carry out actual attacks.
“The JDY malware focuses on infrastructure reconnaissance rather than exploiting targets, which likely supports follow-on asset discovery, vulnerability-targeting pipelines and downstream exploitation or attack-orchestration systems.” states Lumen’s Black Lotus Labs.
The takedown of the KV-botnet in 2024 didn’t eliminate the reconnaissance capability. It forced an adaptation.
“JDY’s evolution from a supporting component of the KV‑botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability.” concludes the report. “The capability persists, adapts and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, JDY botnet)
