Cybersecurity experts have uncovered a significant expansion of the JDY botnet, a covert network believed to be associated with China-linked state-sponsored threat actors. According to recent findings, the botnet now consists of more than 1,500 compromised small office/home office (SOHO) and Internet of Things (IoT) devices, making it a powerful reconnaissance platform capable of scanning and mapping internet-facing systems on a large scale.
JDY Evolves Beyond the KV-Botnet
The JDY botnet was initially identified in late 2023 as a component of the notorious KV-botnet, a network previously linked to Chinese cyber-espionage operations. Security researchers observed that the botnet was primarily used for large-scale internet scanning and reconnaissance activities, helping threat actors identify vulnerable systems for future attacks.
Following the disruption of KV-botnet by U.S. authorities in early 2024, operators behind JDY adapted their tactics and transformed the infrastructure into a standalone reconnaissance network. Researchers believe the platform may be shared among multiple Chinese cyber groups while also supporting independent intelligence-gathering operations.
Botnet Growth Signals Industrial-Scale Reconnaissance
Recent analysis reveals that JDY has more than doubled in size, growing from approximately 650 compromised devices in early 2024 to over 1,500 active nodes today.
Unlike its earlier version, which largely relied on Cisco routers, the current botnet includes a diverse range of devices from manufacturers such as:
- Araknis Networks
- Mimosa Networks
- Ubiquiti
- DrayTek
- Hikvision
- Linksys
Most infected devices are located in the United States and Brazil, with additional compromised systems spread across Europe and Asia.
How JDY Operates
Researchers describe JDY as a highly organized and centrally controlled scanning network. Rather than launching indiscriminate attacks, the botnet focuses on targeted reconnaissance and service fingerprinting.
The malware collects detailed information about exposed services, including:
- Open ports
- TLS certificates
- Network metadata
- Service configurations
- Infrastructure fingerprints
This intelligence is then transmitted to centralized servers, enabling operators to continuously map vulnerable systems and identify potential targets for future exploitation.
Leveraging Newly Disclosed Vulnerabilities
Attackers behind JDY are actively exploiting newly disclosed vulnerabilities in internet-facing devices. Once a vulnerable system is identified, a shell script is deployed to verify whether the malware is already present.
If the system is not infected, the malware downloads a payload tailored to the device’s processor architecture, including:
- MIPS
- MIPS64
- MIPSEL
- MIPSEL64
To reduce the likelihood of detection, the malware removes itself from disk after execution while continuing to operate in memory.
Advanced Scanning Capabilities
One of JDY’s most notable features is its ability to adapt based on system privileges.
When the malware gains root-level access, it performs high-speed SYN scanning using custom TCP packets, allowing for rapid reconnaissance of large numbers of targets.
If elevated privileges are unavailable, the malware switches to standard TCP and TLS connections while also utilizing protocols such as:
- UDP
- ICMP
This flexibility enables the botnet to efficiently gather intelligence across a wide variety of network environments.
Why the Botnet Is Difficult to Detect
A significant portion of JDY’s infrastructure relies on compromised SOHO routers and IoT devices located in residential and small-business environments. This approach provides several advantages:
- Traffic appears similar to legitimate user activity.
- IP reputation systems become less effective.
- Geofencing restrictions can be bypassed.
- Static blocklists struggle to identify malicious activity.
By spreading reconnaissance operations across hundreds of seemingly harmless devices, the operators reduce the risk of detection and disruption.
Tor-Based Infrastructure Enhances Stealth
The botnet’s architecture also incorporates Tor-based infrastructure to conceal its command-and-control (C2) operations. Tor nodes are used to manage infected devices, distribute tasks, and host payload servers.
This layered design helps operators maintain anonymity while coordinating large-scale reconnaissance campaigns against internet-facing targets.
Growing Threat to Global Organizations
Security researchers believe JDY serves as a critical component within a broader cyber-espionage ecosystem. The network appears focused on rapidly identifying vulnerable systems immediately after new security flaws are publicly disclosed.
By providing near real-time intelligence on exposed infrastructure, JDY enables threat actors to accelerate vulnerability exploitation and improve attack planning.
Final Thoughts
The continued growth of the JDY botnet highlights how modern cyber threat groups are building resilient reconnaissance networks that can survive law enforcement disruptions and infrastructure takedowns. Its evolution from a supporting element of KV-botnet into an independent intelligence-gathering platform demonstrates the increasing sophistication of state-backed cyber operations.
As organizations continue to deploy internet-connected devices, maintaining timely patch management, network monitoring, and asset visibility remains essential to reducing exposure to reconnaissance-driven attacks.
