More than 1,500 small office/home office (SOHO) and IoT devices now form a covert reconnaissance network that cybersecurity researchers say feeds “structured reconnaissance data” to Chinese nation-state actors, according to Lumen’s Black Lotus Labs.
Lumen’s Black Lotus Labs on JDY: resurgence, scope, and purpose
Black Lotus Labs described JDY as a “resurgence and expansion” of a covert scanning network that now “operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale.” The firm warned the cluster conducts targeted scanning and service fingerprinting “with an aim to flag vulnerable infrastructure following public disclosures,” a pattern Black Lotus Labs characterizes as an industrialized reconnaissance effort whose results are “leveraged by Chinese nation-state groups.”
From KV-botnet cluster to an independent reconnaissance capability
Researchers first identified JDY as a cluster inside a broader botnet codenamed KV-botnet in mid-December 2023. At that time the cluster primarily used compromised SOHO routers, firewalls and IoT devices to perform broad internet scanning. After the KV-botnet was taken down by the U.S. government in early 2024, JDY operators changed behaviors: a second KV cluster largely went offline while JDY retooled. Black Lotus Labs notes JDY evolved from “a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability.”
Architecture and exploitation chain: Tor, C2, CVE-2026-35616
JDY’s operators use a layered architecture that employs Tor nodes to manage infected infrastructure and to host both command-and-control (C2) and payload servers. The C2 servers dispatch targeted reconnaissance and system-profiling tasks rather than indiscriminate scans; results are aggregated on central servers for ongoing intelligence gathering.
Attack chains observed by Black Lotus Labs weaponize newly disclosed edge-device vulnerabilities — for example CVE-2026-35616 — to deliver a shell-script dropper. That dropper checks whether JDY malware is already present and, if not, fetches a primary payload chosen for the device’s processor architecture (examples noted include mips, mips64, mipsel, and mipsel64). Once the malware launches, the installer is deleted from disk.
The scanning malware is engineered to fingerprint hosts, receive scanning tasks from C2, and perform high-volume TCP, SSL, UDP, and ICMP-assisted probing while capturing responses such as TLS certificates and metadata. Its methodology adapts to the local privilege level: if raw sockets are available — an indication of root privileges — the malware initiates high-speed SYN scanning with custom-crafted TCP packets; otherwise, it falls back to standard TCP/TLS connections or uses UDP and ICMP for web or less-privileged scans.
Targets, device diversity, and evasion techniques
JDY’s footprint expanded sharply: Black Lotus Labs documented growth from roughly 650 bots at the start of January 2024 to more than 1,500 compromised devices. Most compromised nodes are located in the U.S. and Brazil, followed by Europe and Asia. Where the cluster once featured primarily Cisco RV320 and RV325 routers, its present composition includes devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys.
That geographic and vendor diversity is central to JDY’s operational tradecraft. “The botnet’s large number of U.S.-based SOHO/IoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists,” Black Lotus Labs wrote. By distributing scanning across many IPs and blending activity with legitimate user traffic, operators reduce the chance any single IP is labeled a scanner and blocked.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect reconnaissance activity to arrive quickly after public vulnerability disclosures and to be distributed across many consumer-grade devices, complicating IP-blocking and reputation-based detection. Monitoring for unusual outbound scanning patterns and TLS-certificate harvesting may be more useful than relying on static blocklists.
- Policymakers and regulators: The persistence and adaptation of JDY after a major takedown underlines that dismantling individual nodes or clusters does not remove the underlying capability. JDY’s evolution into a standalone reconnaissance service suggests disruption needs to address supply-chain, disclosure timing, and cross-border device compromise dynamics.
- Affected enterprises and procurement leaders: The breadth of vendors and device classes implicated — from routers to cameras and wireless gear — means procurement and asset inventories should explicitly account for SOHO/IoT endpoints as potential reconnaissance platforms that can feed targeting pipelines used by nation-state actors.
Black Lotus Labs’ final assessment is pointed: “JDY demonstrates how IoT/SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation.” The firm adds that JDY’s “growth and continued operation illustrate how modern reconnaissance networks persist despite takedowns and adapt as a durable capability within a broader adversary ecosystem,” providing “timely targeting data, often within hours of vulnerability disclosure.”
That observation is the crux: JDY is less a single botnet to be switched off than a resilient reconnaissance capability that adapts to changes and supplies downstream actors with the raw material for targeting. How defenders shorten the window between disclosure and exploitation—and how quickly networks can detect distributed, low-footprint probing—will determine whether JDY’s next phase remains reconnaissance or becomes the opening salvo for more direct intrusion.
Source: The Hacker News — China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
