A China-linked JDY botnet has expanded to more than 1,500 compromised SOHO and IoT devices and is being used for large-scale reconnaissance, according to a technical analysis by Lumen’s Black Lotus Labs.
KEY FACTS
- Botnet size The JDY cluster grew from about 650 bots in early January 2024 to more than 1,500 devices.
- Device mix Infected systems now include equipment from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision and Linksys.
- Geography Most compromised nodes are in the United States and Brazil, with others in Europe and Asia.
- Purpose The malware is built to fingerprint hosts, run scans and report results for follow-on targeting.
Researchers said the network has changed since it was first identified in December 2023 as part of the KV-botnet cluster. After the U.S. government disrupted KV-botnet in early 2024, operators made changes to the infrastructure and the second KV cluster mostly went offline.
The report said the current JDY operation uses Tor nodes to manage command-and-control and payload servers. Infected devices receive scanning tasks that focus on exposed services and newly disclosed weaknesses, and results are sent back to central servers for continued intelligence gathering.
Attack chains described in the report can use newly disclosed edge-device flaws, including CVE-2026-35616, to deliver a shell script dropper that checks whether the malware is already present. If not, it downloads the correct payload for the device architecture, then deletes itself from disk after launch.
The malware can adapt its scanning methods based on available privileges. With raw-socket access, it can carry out fast SYN scans. If not, it falls back to standard TCP and TLS connections or uses UDP and ICMP probes.
WHY IT MATTERS
The findings show how compromised routers and IoT devices can be used for persistent reconnaissance even after disruption attempts. That can give attackers a steady stream of targeting data soon after vulnerabilities are disclosed.