The Resurgence of JDY: Analyzing a High-Performance Reconnaissance Botnet

Recent telemetry indicates a significant resurgence of the JDY botnet, a sophisticated and covert reconnaissance network tied to China-nexus threat activity. Once a secondary component within the broader KV-botnet ecosystem, JDY has undergone a massive evolution. It has expanded to encompass more than 1,500 compromised Small Office/Home Office (SOHO) and Internet of Things (IoT) devices, transforming into a high-performance, centrally orchestrated scanning engine designed to accelerate vulnerability discovery and operational targeting.

The growth of the JDY cluster is notable for both its sheer scale and its architectural diversity. While the network originally relied heavily on a narrow selection of Cisco router models, modern observations reveal a much broader attack surface. The botnet now leverages devices from a wide array of vendors—including Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. These compromised assets are distributed globally across Europe, Asia, and the Americas, with a heavy concentration in the United States.

This geographic and vendor dispersion is a deliberate tactical choice. By dispersing scanning traffic across thousands of legitimate residential and small enterprise IP addresses, operators can effectively bypass traditional IP-based defenses. This allows the botnet to evade geofencing, static blocklists, and reputation-based security systems by blending malicious reconnaissance into the background noise of routine internet traffic.

From a technical perspective, JDY is a purpose-built reconnaissance toolkit optimized for embedded Linux architectures, specifically targeting MIPS, MIPS64, and MIPSEL instruction sets. The infection chain typically begins with a lightweight dropper that probes the host’s architecture, fetches the appropriate binary payload, and launches a specialized scanner. This scanner is capable of sophisticated host fingerprinting, performing high-volume TCP, UDP, SSL, and ICMP-assisted probing. It collects banners and TLS certificates, compresses the structured results, and exfiltrates them to centralized dispatch servers.

One of the botnet’s most impressive features is its adaptive scanning engine. When the malware possesses sufficient privileges, it prefers raw-packet SYN scanning—a method that allows for rapid port discovery with minimal footprint on the target’s application-level logs. If raw sockets are unavailable, the engine gracefully falls back to threaded TCP/TLS connections, which, while more detectable, allow the botnet to capture richer application-layer data.

The Command-and-Control (C2) infrastructure is heavily layered and obfuscated to ensure operational longevity. Operators utilize hidden Tor services to mask upstream management, and some victim devices are managed via Platypus reverse-shell tooling. According to a report by Black Lotus Labs, this resurgence is closely linked to Chinese nation-state-backed actors, including groups such as Volt Typhoon.

Advanced Asset Discovery and Rapid Exploitation

JDY does not merely check if a port is open; it uses dynamic fingerprinting rule updates to identify specific services—such as Oracle WebLogic—through protocol signatures and banner patterns. This effectively turns the botnet into a sophisticated triage engine that feeds high-quality data directly into vulnerability exploitation pipelines.

The operational speed of JDY is particularly concerning. Black Lotus Labs observed selective surges in scanning of Fortinet equipment within mere hours of the public disclosure of CVE-2026-35616. This demonstrates a deliberate capability to identify and target vulnerable infrastructure before organizations can apply necessary patches. Furthermore, victimology patterns show a disproportionate focus on U.S. military and related networks, consistent with the strategic objectives of China-nexus Advanced Persistent Threat (APT) actors.

For defenders, JDY represents the modern reality of reconnaissance. Detection is exceptionally difficult because scans originate from “trusted” residential IP spaces, and the telemetry from the infected IoT/SOHO devices themselves is often non-existent or limited.

Defensive Recommendations

To mitigate the risks posed by JDY and similar botnets, security teams should consider the following strategies:

• Adopt Comprehensive Guidance: Follow frameworks such as the U.K. NCSC advisory on defending against China-nexus covert networks.
• Harden the Edge: Prioritize the hardening of SOHO and IoT deployments. Ensure that consumer-grade devices are not connected to critical production segments.
• Behavioral Monitoring: Supplement traditional IP reputation checks with behavior-based detection. Look for high-volume, low-latency scanning patterns and anomalous outbound POST requests to uncommon endpoints (e.g., /dispatch_service or /data/v2/pscan).
• Rapid Patch Management: Given JDY’s ability to weaponize disclosures within hours, maintaining a rigorous and rapid patching cycle for internet-facing infrastructure is essential.

The revival of the JDY botnet underscores a critical truth in modern cybersecurity: the takedown of a single cluster does not eliminate the underlying tradecraft. As long as ubiquitous embedded devices remain poorly secured, they will continue to serve as resilient, scalable vectors that drastically reduce the time between vulnerability disclosure and active exploitation.