Skip to content

China-Linked JDY Botnet Expands Targeting of US Military Networks

The JDY botnet has expanded its targeting scope and reconnaissance efforts, with a strong focus on the United States. Researchers at Black Lotus Labs by Lumen have been monitoring its activity and found that JDY maintains a significant presence in the country, where many of its compromised devices are located.

JDY’s growth from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today is notable. However, it’s essential to note that JDY isn’t an exploitation framework or a DDoS botnet requiring large swarms to accumulate firepower but instead a distributed scanning and fingerprinting network helping its operators locate targets vulnerable to newly disclosed flaws.

Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors. This targeted focus has been observed across various sectors, with the US military and associated entities as the most prominent.

CISA has previously warned about the risk Volt Typhoon operatives pose to unprotected SOHO routers, urging network device vendors to eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases. The JDY botnet is designed to conduct service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and flaw-focused reconnaissance.

Among the compromised devices are those from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys for MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. The threat actors are quick to target newly disclosed vulnerabilities, with Lumen researchers observing JDY scans targeting CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw.

The operators control the botnet through hidden Tor services, which also serve as command-and-control (C2) infrastructure. The open-source reverse-shell and host-management framework Platypus is also used in some cases. The malware registers with a central ‘Dispatch Service’ and receives scanning assignments, which it executes, compresses the results, and sends them back to the C2.

The scanning module supports service fingerprinting using downloadable rule sets. The botnet client repeats the same cycle until the operator specifically orders it to stop. The TCP scanning function is one of the most technically interesting, say the researchers, explaining that when JDY has sufficient privileges, it performs much faster and stealthier raw SYN scanning.

If the malware can open a raw socket, which generally requires root or administrative privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. These custom packets use a fixed source port of 19000, increment the destination ports one at a time, and batch-process thousands of scan targets.

As JDY botnet activity increases, organizations should ensure routers, firewalls, and IoT devices are running the latest security updates and patches to prevent them from being recruited into reconnaissance networks. Defenders should also reduce their external attack surface by disabling unnecessary internet-exposed administrative interfaces, restricting remote management access, replacing default credentials, and monitoring for unusual outbound scanning activity originating from edge devices.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *