JDY is back—and bigger. Lumen’s Black Lotus Labs calls it a “resurgence and expansion.” The China‑linked covert network has grown into a centrally controlled, high‑performance scanner built from more than 1,500 compromised SOHO and IoT devices. Its mission: discover, fingerprint, and continuously map exposed services at scale.
From KV-botnet cluster to stand‑alone recon engine
JDY was first flagged in mid‑December 2023 as a cluster within the KV‑botnet. Chinese state‑sponsored groups, including Volt Typhoon, leveraged it for broad internet scanning across compromised SOHO routers, firewalls, and IoT devices.
After the U.S. government’s early‑2024 takedown of KV‑botnet, operators made behavioral changes. One KV cluster largely went offline. Black Lotus Labs assesses the botnet is likely offered to multiple hacking outfits while also conducting its own reconnaissance and targeting.
The latest reporting shows JDY has expanded to infect a broader range of devices and feed “structured reconnaissance data” into a larger scanning ecosystem for follow‑on target identification and exploitation. The cluster prioritizes targeted scanning and service fingerprinting—especially after public vulnerability disclosures—indicating industrialized reconnaissance supporting Chinese nation‑state operations.
Scale, geography, and device mix
- Growth: ~650 bots in January 2024 to 1,500+ devices today.
- Geography: Most nodes in the U.S. and Brazil, followed by Europe and Asia.
- Diversity: Once dominated by Cisco RV320/RV325, JDY now spans Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
According to Black Lotus Labs, the large concentration of U.S.‑based SOHO/IoT devices helps JDY evade geofencing, IP reputation‑based detection, and static blocklists. Distributing reconnaissance across many IPs lowers the chance any single address gets flagged as a scanner, and compromised consumer gear blends with legitimate traffic patterns.
Layered architecture and tasking model
- Control: Tor nodes manage infected infrastructure, including both C2 and payload servers.
- Tasking: C2 directs bots to run targeted reconnaissance and system profiling—not indiscriminate scanning.
- Collection: Scan results flow to central servers for ongoing intelligence, advancing Chinese threat actor objectives.
Infection path and payload handling
Attack chains weaponize newly disclosed edge‑device vulnerabilities (e.g., CVE‑2026‑35616) to drop a shell script that checks for existing infection. If not present, it downloads the primary payload matched to the device architecture (mips, mips64, mipsel, or mipsel64). Once launched, the malware deletes itself from disk.
Scanning tradecraft: privilege‑aware, protocol‑flexible
The malware fingerprints the host, pulls scanning tasks from a central C2, and executes high‑volume probing across TCP, SSL, UDP, and ICMP. It captures responses—TLS certificates, metadata, and more—and reports back to a dispatch server. The objective is infrastructure reconnaissance rather than direct exploitation.
It adapts based on local privileges. With raw‑socket access (signaling root), it initiates high‑speed SYN scanning using custom TCP packets. Without raw sockets—or for web scans—it falls back to standard TCP/TLS connections and uses UDP or ICMP as needed.
What Black Lotus Labs concludes
Black Lotus Labs assesses that this reconnaissance most likely informs asset discovery, vulnerability‑targeting pipelines, and downstream exploitation or attack‑orchestration systems. In their words, JDY shows how “IoT/SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation.”
The evolution is clear: JDY has moved from a supporting component of KV‑botnet to an independent, high‑performance reconnaissance capability. Takedowns disrupt nodes. The underlying capability persists, adapts, and continues to deliver timely targeting data—often within hours of disclosure.
The SOC paradigm is shifting. Reconnaissance at scale now runs on fleets of everyday devices. Defenders need to assume they’re being mapped—continuously—and act accordingly.
Reference: View article