JDY Botnet: China-Linked SOHO Scanning Targets U.S. Military

Key Takeaways

• Lumen’s Black Lotus Labs has documented a significant resurgence and expansion of JDY, a China-linked reconnaissance botnet that has grown from approximately 650 compromised devices in January 2024 to more than 1,500 SOHO and IoT nodes as of June 2026, with U.S. military and associated networks identified as its primary targets [1].
• JDY emerged as a cluster of the KV-botnet used by the Volt Typhoon threat group, survived the FBI’s February 2024 takedown of the parent infrastructure, and has since evolved into an independent, high-performance scanning capability believed to serve multiple China-nexus APT actors [2].
• The botnet’s operators have demonstrated the ability to begin reconnaissance scans targeting newly disclosed critical vulnerabilities within hours of public disclosure, as observed when JDY scans spiked against Fortinet equipment following the April 2026 announcement of CVE-2026-35616 (CVSS 9.1) [1].
• Compromised infrastructure spans seven major device vendors—Cisco, Araknis, DrayTek, Hikvision, Linksys, Ubiquiti, and Mimosa Networks—with command-and-control managed through hidden Tor services to resist takedown [3].
• Conventional defenses based on geofencing and static IP reputation blocklists have limited efficacy against JDY’s distributed, rotating infrastructure; organizations must accelerate edge-device patching cadences and improve perimeter device visibility to reduce exposure [4].

Background

The JDY botnet’s origins trace to December 2023, when researchers at Lumen’s Black Lotus Labs first identified it as a distinct cluster within the KV-botnet [7], a covert network that the U.S. government linked to Volt Typhoon—a People’s Republic of China state-sponsored threat actor also tracked under the aliases Vanguard Panda, BRONZE SILHOUETTE, and Insidious Taurus [2][5][8]. The KV-botnet had been operational for years, tunneling Volt Typhoon’s intrusion traffic through compromised edge devices, effectively obscuring the geographic origin of attacks and blending malicious communications with legitimate network activity [2][5]. The Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI assessed that Volt Typhoon’s pattern of behavior reflected deliberate pre-positioning on U.S. critical infrastructure networks—including communications, energy, transportation, and water systems—with the likely intent to enable disruptive or destructive action in the event of a major geopolitical crisis [5].

The FBI obtained court authorization and remotely disrupted the KV-botnet’s U.S.-based nodes in early 2024, an action that effectively rendered the second KV cluster largely inoperative [2]. JDY, however, survived the takedown. Its operators adapted their infrastructure, progressively diversified the classes of devices they compromised, and over the subsequent two years built what Black Lotus Labs now characterizes as an independent, centrally controlled, high-performance scanning engine—no longer merely a Volt Typhoon relay, but a shared reconnaissance resource available to multiple China-nexus APT actors [1].

JDY’s persistence after the KV-botnet disruption is consistent with a pattern that intelligence analysts have observed across multiple Chinese cyber programs [5]: takedowns of individual operational clusters rarely eliminate the underlying tradecraft or operator teams. This trajectory suggests that disruptions can accelerate adaptation, driving adversaries toward more resilient architectures that are harder to disrupt through single legal or technical interventions. JDY’s evolution from a botnet cluster to autonomous reconnaissance infrastructure is a concrete illustration of that dynamic.

Security Analysis

Botnet Scale, Device Diversity, and Geographic Distribution

The scope of JDY’s infrastructure has grown substantially since its initial identification. Black Lotus Labs measured approximately 650 active bots in January 2024; by June 2026 that figure had surpassed 1,500 compromised SOHO and IoT devices [1]. The geographic distribution of infected nodes tilts heavily toward the United States and Brazil, with additional presence across Europe and Asia [3]. This distribution is consistent with analysts’ assessment that operators deliberately seed botnet nodes in geographically plausible locations to evade geofencing controls [3], though Brazil’s large footprint of vulnerable SOHO devices may also reflect opportunistic compromise rather than deliberate geographic seeding.

The range of affected vendors has broadened considerably from the botnet’s early focus on Cisco RV320 and RV325 routers. Current compromised infrastructure includes devices from Araknis Networks, DrayTek, Hikvision, Linksys, Ubiquiti, and Mimosa Networks, in addition to Cisco hardware, which still accounts for the largest share of infected nodes at roughly 500 devices [1]. All affected device architectures run MIPS, MIPS64, or MIPSEL firmware—processor families common in consumer-grade and small-business networking equipment—reflecting a deliberate focus on the edge-device class that tends to receive infrequent firmware updates and limited enterprise-grade monitoring [1].

This vendor diversity represents a hardening of the botnet against any single-vendor remediation response. A coordinated firmware update or advisory from one manufacturer affects only a fraction of the total fleet, while the operators can continue reconnaissance uninterrupted through the remaining nodes.

Reconnaissance Architecture and Capabilities

Based on current analysis, JDY’s documented operational role is intelligence collection; it does not appear to directly exploit targets, steal credentials, or deploy destructive payloads. Instead, it functions as a distributed sensing layer: receiving scan tasks from centrally managed command-and-control infrastructure, executing high-volume multi-protocol probing across internet-facing services, and returning structured results to operators who then share the intelligence with China-nexus intrusion teams for follow-on action [1][2].

The malware’s scanning engine supports TCP, UDP, SSL, and ICMP-assisted probing, and when operating with root privileges on a compromised device it performs high-speed SYN scanning using custom-crafted TCP packets with a fixed source port of 19000—a behavioral signature that defenders can use for detection [1]. Special ICMP probes use identifier 19037 and sequence 35765, additional indicators that can be surfaced through network traffic analysis. Beyond basic port scanning, JDY performs service banner grabbing, TLS certificate collection, domain resolution, HTTP redirect tracking, and protocol fingerprinting using a library of matching rules that define transport type, port, request-response patterns, and regex-based banner parsing for each service of interest [1].

The result is not a simple port-scan inventory. JDY builds detailed service maps that include cryptographic metadata (TLS versions, cipher suites, certificate subjects and expiration dates), application-layer fingerprints, and protocol-level behavioral signatures. This level of detail provides operational intrusion teams with the service-level intelligence typically needed to identify high-value targets before committing exploitation resources.

Command-and-Control Infrastructure

The operators have designed JDY’s command-and-control architecture for resilience. C2 communications are routed through hidden Tor services, making passive network-based attribution difficult and disruption through IP blocking ineffective [1][3]. The malware beacons to a primary C2 endpoint at the path /dispatch_service/v2/probe_status, receives scan tasking via /dispatch_service/v2/probe_task/, and reports collected reconnaissance data via /data/v2/pscan using HTTP POST [1]. All communications are encrypted with AES using a hardcoded key. For host management, the operators deploy Platypus, an open-source reverse-shell framework that provides persistent access to compromised devices and allows operators to update the malware, modify scanning targets, or pivot to additional activity [1]. Payload delivery has been observed from the IP address 149.248.3[.]38 on port 13339 [1].

This layered architecture—compromised edge devices as scanning nodes, Tor for C2, and open-source tooling for host management—is consistent with the operational security practices of well-resourced threat actors. The use of open-source tools like Platypus also complicates attribution, since these tools are available to a wide range of threat actors and are not exclusively associated with nation-state activity.

CVE-Speed Targeting: The FortiClient EMS Case

Among the most operationally significant behaviors documented by Black Lotus Labs is JDY’s rapid response to newly disclosed vulnerabilities. On April 4, 2026, Fortinet publicly disclosed CVE-2026-35616, an improper access control vulnerability in FortiClient EMS carrying a CVSS score of 9.1 that allows unauthenticated remote code execution on affected deployments [1][6]. Within hours of that disclosure, Black Lotus Labs observed a measurable spike in JDY scanning activity targeting Fortinet equipment—a pattern consistent with operators monitoring public vulnerability feeds and immediately tasking the botnet to identify exposed instances before patches can be widely deployed [1].

This behavior compresses the effective vulnerability window for organizations that rely on standard SLA-driven patch management timelines. Enterprise patching programs are commonly designed around cycles measured in days to weeks for critical vulnerabilities; JDY’s reconnaissance capability means that exposed Fortinet deployments may be enumerated and flagged for exploitation within the same business day as public disclosure [4]. The Fortinet case suggests this capability may extend to other internet-facing appliances when high-severity vulnerabilities are disclosed, and organizations should treat CVE-speed reconnaissance as a plausible risk across their edge-device fleet. Black Lotus Labs assesses that JDY’s scan results are shared with China-nexus intrusion teams [1], who can then prioritize exploitation based on confirmed-vulnerable target data.

U.S. Military Targeting Focus

Black Lotus Labs noted that among the IP ranges JDY scanned, the most prominent targets were associated with U.S. military and associated entities—a deliberate focus rather than incidental coverage from broad internet-wide scanning [1][2]. This selective targeting is consistent with Volt Typhoon’s documented mission of pre-positioning within defense-adjacent infrastructure and with broader Chinese strategic intelligence priorities. Rather than conducting noisy internet-wide sweeps that might attract attention through volume, JDY operators appear to direct the botnet toward specific high-value target sets, using the botnet’s distributed, slow-burn scanning approach to remain below typical anomaly-detection thresholds.

The military targeting dimension elevates JDY beyond a general-purpose threat. Organizations in the defense industrial base, defense contractors, logistics providers with military contracts, and telecommunications carriers serving military installations should treat this development with particular urgency. CISA’s February 2024 advisory on Volt Typhoon assessed that the group had maintained persistent access to some victim IT environments for at least five years, suggesting that reconnaissance intelligence gathered by JDY today may support intrusion campaigns with multi-year time horizons [5].

Recommendations

Immediate Actions

Organizations operating edge devices—routers, firewalls, VPN concentrators, IP cameras, and wireless access points—should treat patching of these devices as a first-class priority, not an afterthought behind endpoint and server workloads. Any device from the vendors identified in JDY’s compromised fleet (Cisco, Araknis, DrayTek, Hikvision, Linksys, Ubiquiti, Mimosa Networks) that is internet-facing should be audited for firmware currency immediately. Administrative interfaces should be disabled from public internet access unless operationally essential; where remote management is required, access should be restricted to specific management IP ranges through access control lists. Default credentials must be replaced on all edge devices without exception, as default-credential exploitation is commonly cited as a leading initial access vector for SOHO device compromise.

Security teams should add detection rules for the behavioral signatures documented by Black Lotus Labs: anomalous TCP traffic originating from port 19000, ICMP probes with identifier 19037 and sequence 35765, and unusual outbound connections to Tor exit nodes from edge-device IP ranges. While blocking these indicators individually will not neutralize a distributed botnet, surfacing them enables investigation of potentially compromised infrastructure.

Short-Term Mitigations

The CVE-speed scanning behavior JDY exhibited following CVE-2026-35616’s disclosure demands that organizations develop pre-approved emergency patching playbooks for internet-facing network appliances. Standard change-management processes that require multi-day approval cycles are structurally inadequate when reconnaissance against newly disclosed vulnerabilities begins within hours. Security and operations teams should establish pre-authorized patch-fast procedures for critical CVSS 9.0+ vulnerabilities in network appliances, allowing patching to begin within hours of vendor disclosure rather than within days.

Network segmentation should be evaluated and hardened to limit what a compromised SOHO or IoT device can access beyond its intended function. Devices that serve only a routing or bridging role should not have direct connectivity to sensitive internal segments. Organizations should also review what outbound scanning or connection activity their edge devices generate; legitimate routers and access points do not need to initiate large-scale outbound TCP scanning, and this behavioral baseline can be enforced through egress filtering.

Geofencing and IP reputation-based controls, while not sufficient as standalone defenses, retain value as components of a layered security posture when combined with behavioral anomaly detection. IDC’s Sakshi Grover, as quoted in CSO Online [4], notes that these controls fail in isolation precisely because botnets like JDY distribute their scanning activity across residential and small-business IP ranges that static blocklists do not cover. Implementing reputation controls alongside behavioral monitoring—rather than relying on either alone—improves detection coverage without creating a false sense of protection.

Strategic Considerations

JDY’s evolution from a KV-botnet cluster to an independent reconnaissance service shared across multiple APT actors reflects a trend toward Chinese cyber capability specialization. Strategic defenders should anticipate that reconnaissance intelligence gathered today supports exploitation campaigns with timelines measured in months to years, not days. This argues for treating edge-device security posture as a persistent strategic investment rather than a reactive response to individual incidents.

CSA’s Zero Trust principles, applied specifically to IoT and edge devices, offer a structured framework for reducing attack surface. Devices should operate under least-privilege network policies, with identity-based controls governing what services they can initiate connections to. Continuous monitoring of device behavior—firmware version, network traffic patterns, connection destinations—should be integrated into security operations workflows, not treated as out-of-scope for teams focused on traditional endpoints and cloud workloads. Organizations in the defense industrial base should additionally consult DoD cybersecurity guidance and CISA’s Shields Up advisories for sector-specific hardening requirements.

CSA Resource Alignment

This incident directly engages several areas of CSA research and guidance. CSA’s Zero Trust Guidance for IoT [9] provides an applicable five-step methodology for extending Zero Trust principles to edge and IoT devices—precisely the class of infrastructure JDY exploits. The framework’s emphasis on device categorization, transaction flow mapping, and continuous monitoring addresses the visibility gaps that allow botnets to persist undetected within compromised SOHO equipment. Organizations should treat internet-facing network appliances as untrusted devices by default and enforce identity-based access controls on what services those devices can reach.

CSA’s IoT Security Controls Framework v3 [10] offers 237 IoT-specific security controls organized by domain, including device authentication, firmware integrity, network segmentation, and monitoring requirements. The control categories covering secure device onboarding, firmware update management, and network access control are particularly relevant to reducing the initial-access vectors JDY operators exploit when compromising SOHO routers and cameras.

The Cloud Controls Matrix (CCM) and the AI Controls Matrix (AICM) both address supply chain security and infrastructure integrity requirements that apply to the edge-device layer. As AI-enhanced reconnaissance capabilities become more common within nation-state programs—potentially enabling automated target prioritization and adaptive scanning strategies—the AICM’s threat modeling categories for agentic AI systems will become increasingly relevant to understanding how these reconnaissance platforms evolve.

CSA’s STAR (Security Trust Assurance and Risk) program provides a registry mechanism through which vendors and service providers can document their security posture. Organizations procuring SOHO or IoT devices should prioritize vendors who have achieved STAR certification and who demonstrate documented firmware security programs, including defined end-of-life policies and timely vulnerability patching commitments.

References

[1] Lumen Black Lotus Labs. “Expanded JDY IoT and SOHO Botnet Enables Rapid Vulnerability Exploitation.” Lumen Technologies, June 2026.

[2] Ionut Arghire. “China-linked JDY Botnet Expands Targeting of U.S. Military Networks.” BleepingComputer, June 2026.

[3] Ravie Lakshmanan. “China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance.” The Hacker News, June 10, 2026.

[4] Prasanth Aby Thomas. “China-Linked Recon Botnet Outpaces Enterprise Defenses.” CSO Online, June 2026.

[5] CISA, NSA, FBI. “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.” CISA Advisory AA24-038A, February 7, 2024.

[6] watchTowr. “Fortinet FortiClient EMS Zero-Day: CVE-2026-35616 (Active Exploitation Underway).” watchTowr, April 2026.

[7] Lumen Black Lotus Labs. “Routers Roasting on an Open Firewall: The KV-Botnet Investigation.” Lumen Technologies, December 2023.

[8] MITRE ATT&CK. “Volt Typhoon (Group G1017).” MITRE ATT&CK, accessed June 2026.

[9] CSA. “Zero Trust Guidance for IoT.” Cloud Security Alliance, accessed June 2026.

[10] CSA. “IoT Security Controls Framework v3.” Cloud Security Alliance, accessed June 2026.