China-Linked JDY Botnet Grows to 1,500+ Devices for Mass Reconnaissance

Cybersecurity researchers at Lumen's Black Lotus Labs have identified a significant resurgence of JDY, a covert China-linked botnet that has expanded to over 1,500 compromised small office and home office (SOHO) routers, firewalls, and IoT devices. Originally flagged as a cluster within the larger KV-botnet in December 2023, JDY was used by Chinese state-sponsored threat actors including Volt Typhoon for broad-scale internet scanning. After the U.S. government dismantled KV-botnet in early 2024, the operators behind JDY adapted their infrastructure, with the new cluster growing from 650 bots in January 2024 to more than 1,500 compromised nodes today, the majority located in the United States and Brazil.

The botnet's device footprint has diversified considerably since its initial discovery. While it previously relied heavily on Cisco RV320 and RV325 routers, the current composition includes devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. Operators manage the network through Tor nodes that connect to both command-and-control (C2) and payload servers, directing infected devices to perform targeted scanning and service fingerprinting. This large fleet of U.S.-based SOHO and IoT devices allows the operators to circumvent traditional defenses such as geofencing, IP reputation-based detection, and static blocklists, distributing reconnaissance activity across thousands of legitimate-looking IP addresses. Network defenders can use a port scanner to audit their own exposed services, while a WHOIS lookup can help investigate suspicious IP addresses flagged in logs.

The primary purpose of JDY is structured reconnaissance at industrial scale. The botnet continuously discovers, fingerprints, and maps exposed services globally, feeding intelligence into a larger scanning ecosystem that Chinese nation-state groups leverage for follow-on target identification and exploitation, particularly targeting vulnerable infrastructure flagged after public vulnerability disclosures. "By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked," Black Lotus Labs noted. This blending tactic makes compromised-device traffic nearly indistinguishable from legitimate user activity. Organizations concerned about traffic anomalies can run a VPN/proxy detector to verify whether connections are originating from anonymizing networks like Tor.

The JDY expansion underscores a broader trend of Chinese APT groups weaponizing consumer-grade networking equipment for persistent access and intelligence gathering. By co-opting trusted SOHO and IoT devices, the operators maintain a resilient scanning infrastructure that is difficult to attribute and even harder to block. For organizations, the findings highlight the urgency of replacing end-of-life SOHO routers, applying firmware updates promptly, and segmenting IoT devices from critical networks. Defenders should also conduct a privacy checkup and review external attack surfaces to ensure exposed services are properly hardened against automated reconnaissance campaigns like JDY.