JDY has grown from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today, according to researchers at Black Lotus Labs by Lumen.
Scale and geographic focus: a reconnaissance network centered on the United States
Black Lotus Labs reports that JDY maintains a strong focus on the United States, where many of its compromised devices are located and where it heavily targets military and associated networks. The botnet's growth—more than doubling in active bots since January 2024—reflects an expanding reconnaissance capability rather than an attempt to amass raw attack bandwidth. The security firm cautions that JDY "isn't an exploitation framework or a DDoS botnet that requires large swarms to accumulate firepower," but instead functions as "a distributed scanning and fingerprinting network that helps its operators locate targets vulnerable to newly disclosed flaws."
Capabilities: what JDY's clients can do
The malware is built to discover services, gather protocol and certificate information, and search for specific flaws. Black Lotus Labs lists the botnet's scanning and collection abilities as:
- TCP scanning (including high-speed raw SYN scanning when JDY has sufficient privileges)
- SSL/TLS scanning and TLS certificate harvesting
- UDP scanning and ICMP probing
- Banner collection and service fingerprinting using downloadable rule sets
The report highlights a technical detail about the TCP scanner: when the malware can "open a raw socket, which generally requires root or administrative privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets." Those packets use a fixed source port of 19000, increment destination ports sequentially, and batch-process thousands of targets—behavior that makes JDY both fast and stealthier under privileged conditions.
Command-and-control, tooling, and observed behaviors
JDY operators control the network through hidden Tor services that serve as command-and-control (C2) infrastructure. In some cases the actors also use the open-source reverse-shell and host-management framework Platypus. Each infected client registers with a central "Dispatch Service," receives scanning assignments, executes them, compresses the results, and returns them to the C2; the client repeats this cycle until specifically ordered to stop.
Compromised devices identified by Lumen include models or components from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, and the malware targets devices built for MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures.
Targeting U.S. military networks and rapid operationalization after disclosures
Black Lotus Labs observed that JDY's reconnaissance output is quickly turned into action by China-nexus advanced persistent threat actors. "Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors," the report reads.
As a concrete example, Lumen researchers saw JDY scans probing for CVE-2026-35616 shortly after Fortinet publicly disclosed the FortiClient EMS flaw, underscoring the botnet's speed at homing in on newly publicized vulnerabilities. The report also notes that JDY's most prominent targets span a range of sectors, with the U.S. military and associated entities singled out.
What this means for security teams, CISA, and affected device vendors
- Security teams and technologists: Defenders should ensure routers, firewalls, and IoT devices are running the latest security updates and patches, disable unnecessary internet-exposed administrative interfaces, restrict remote management access, replace default credentials, and monitor for unusual outbound scanning activity originating from edge devices—measures cited directly in the report as ways to prevent devices from being recruited into reconnaissance networks.
- CISA and regulators: The report echoes previous warnings from CISA about the risk posed by Volt Typhoon operatives to unprotected SOHO routers and reiterates CISA's urging that network device vendors eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during design and development.
- Affected vendors (Cisco, Ubiquiti, Fortinet, Linksys, Hikvision, DrayTek, Araknis, Mimosa Networks): Vendors whose products appear in the compromise list should prioritize patching and hardening guidance for customers, and consider design changes to reduce exploitable management interfaces—steps consistent with the report's defensive recommendations.
The JDY botnet illustrates a shift in tradecraft: smaller numbers of compromised edge devices used not to flood targets with traffic but to harvest high-fidelity reconnaissance for rapid exploitation. Black Lotus Labs' findings tie that reconnaissance directly to post-disclosure activity and to targeting that places U.S. military networks "as the most prominent." Organizations dependent on SOHO and IoT edge equipment now face a clear choice outlined in the report—patch, reduce exposure, and monitor outbound scanning—or risk having their devices turned into sensors for advanced persistent threats.
