China-Linked JDY Botnet Expands Targeting of U.S. Military Networks
The JDY botnet, associated with Chinese threat actors including Volt Typhoon, has significantly broadened its reconnaissance efforts, now actively scanning and targeting U.S. military networks.
The JDY botnet, a malware network previously linked to Chinese threat actors such as Volt Typhoon, has markedly expanded its targeting scope and reconnaissance activities. Researchers at Black Lotus Labs by Lumen have observed that JDY maintains a strong focus on the United States, where a substantial portion of its compromised devices are located, with a particular emphasis on military and associated networks.
The botnet has grown considerably, increasing from approximately 650 active bots in January 2024 to over 1,500 compromised Small Office/Home Office (SOHO) and Internet of Things (IoT) devices. While these numbers might appear modest, JDY's function is not that of a traditional exploitation framework or a Distributed Denial of Service (DDoS) botnet. Instead, it operates as a distributed scanning and fingerprinting network, enabling its operators to efficiently locate targets vulnerable to newly disclosed security flaws.
Analysis of JDY's activity reveals a deliberate strategy of identifying vulnerable infrastructure shortly after public vulnerability disclosures. This suggests that the reconnaissance data gathered is rapidly operationalized by China-nexus advanced persistent threat (APT) actors. The targeted focus has been observed across various sectors, with U.S. military and associated entities being the most prominent targets.
CISA has previously issued warnings regarding the risks posed by Volt Typhoon operatives to unprotected SOHO routers. The agency urged network device vendors to prioritize the elimination of vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases. The JDY botnet is specifically engineered to perform service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and flaw-focused reconnaissance.
Compromised devices include those from manufacturers such as Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, affecting MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. The threat actors demonstrate agility in exploiting newly disclosed vulnerabilities; Lumen researchers documented JDY scans targeting CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw.
The botnet operators manage their infrastructure through hidden Tor services, which also serve as command-and-control (C2) points. In some instances, the open-source reverse-shell and host-management framework Platypus is also employed. The malware registers with a central "Dispatch Service" to receive scanning assignments, executes these tasks, compresses the results, and transmits them back to the C2 infrastructure.
The scanning module is versatile, supporting TCP, SSL/TLS, and UDP scanning, along with ICMP probing, banner collection, TLS certificate harvesting, and service fingerprinting using downloadable rule sets. The botnet client continuously repeats this cycle until explicitly ordered to cease by an operator. The TCP scanning function is particularly noteworthy, as JDY can perform much faster and stealthier raw SYN scanning when it possesses sufficient privileges, such as root or administrative access.
As JDY botnet activity escalates, organizations are strongly advised to ensure their routers, firewalls, and IoT devices are running the latest security updates and patches to prevent them from being co-opted into reconnaissance networks. Defenders should also focus on reducing their external attack surface by disabling unnecessary internet-exposed administrative interfaces, restricting remote management access, replacing default credentials, and diligently monitoring for unusual outbound scanning activity originating from edge devices.
The JDY botnet has significantly expanded its device count from 650 bots in early 2024 to over 1,500 compromised SOHO and IoT devices, including new vendors like Araknis, Mimosa Networks, and Ubiquiti. This growth, coupled with a more diverse device makeup, enhances its ability to evade traditional IP-based defenses and blend in with legitimate traffic for reconnaissance.